[tpm2] Re: Ecrypting and decrypting a file using a TPM2

[Petr Gotthard <petr.gotthard at centrum.cz>]

[-- Attachment #1: Type: text/plain, Size: 3031 bytes --]

I believe it may be easier to use openssl and its tpm2-openssl provider. OpenSSL can encrypt/decrypt files and the tpm2-openssl provider enables the use of TPM-based keys.
 
Petr
______________________________________________________________
> Od: "Steven Clark" <davolfman(a)gmail.com>
> Komu: dawn.howe(a)alten.com
> Datum: 15.06.2022 02:27
> Předmět: [tpm2] Re: Ecrypting and decrypting a file using a TPM2
>
> CC: <tpm2(a)lists.01.org>
Generally bulk symmetric encryption is a feature real TPMs don't implement.  What you do is generate a random transmission key for AES encryption with something like OpenSSLs libcrypto and encrypt that ephemeral key with the TPM.

On Tue, Jun 14, 2022, 5:06 PM <dawn.howe(a)alten.com <dawn.howe(a)alten.com>> wrote:I am writing a c++ application on ubuntu 22.04 server that needs to encrypt and decrypt files and am using the FAPI api. The files need to be secured until the application uses them at a later time, so I am receiving plain files and encrypting them using Fapi_Encrypt(). 
 
 I tried following the pattern in the integration tests found in the tpm2-tools. (tpm2-tools/test/integration/fapi/fapi-encrypt-decrypt.sh)
 
 It basically does the following:
 Fapi_Initialize(&global_fapi_context, NULL);
 Fapi_Provision (global_fapi_context, NULL, NULL, NULL);
 
 const char * key_type = "noDa, decrypt, system";
 char * auth_value = NULL; // no password
 char * policy_path = NULL;
 Fapi_CreateKey (global_fapi_context, key_path, key_type, policy_path, auth_value);
 
 Fapi_Encrypt (global_fapi_context, key_path, (const uint8_t*)data, size, &cipherText, &cipherTextSize);
 
 The files (data buffer) I need to encrypt are about 3k bytes big. 
 
 The encryption fails because the file is too big. The error comes from 
 .../tpm2-tss/src/tss2-fapi/api/Fapi_Encrypt.c line 309:
 
 if (encKeyObject->misc.key.public.publicArea.type == TPM2_ALG_RSA) {
                 TPM2B_DATA null_data = { .size = 0, .buffer = {} };
                 TPM2B_PUBLIC_KEY_RSA *rsa_message = (TPM2B_PUBLIC_KEY_RSA *)&context->aux_data;
                 size_t key_size =
                     encKeyObject->misc.key.public.publicArea.parameters.rsaDetail.keyBits / 8;
                 if (context->cmd.Data_EncryptDecrypt.in_dataSize > key_size) {
                     goto_error_reset_state(r, TSS2_FAPI_RC_BAD_VALUE,
                                            "Size to big for RSA encryption.", error_cleanup);
 
 
 Is my strategy completely wrong? What's the proper way to do this?  Is my strategy ok, but need to generate a different type of key?
 
 I'm new to this technology and am curious how it ought to be done.
 _______________________________________________
 tpm2 mailing list -- tpm2(a)lists.01.org <tpm2(a)lists.01.org>
 To unsubscribe send an email to tpm2-leave(a)lists.01.org <tpm2-leave(a)lists.01.org>
 %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s


[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 4137 bytes --]