Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

🔑 TPM 2.0 plugin for age

License

NotificationsYou must be signed in to change notification settings

Foxboron/age-plugin-tpm

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

age-plugin-tpm is a plugin forage clientslikeage andrage,which enables files to be encrypted to age identities sealed by the TPM.

Features

  • Keys created on the TPM, sealed outside of it
  • PIN support
  • TPM session encryption

Experimental

The identity format and technical details might change between iterations.Consider this plugin experimental.

Instead of utilizing the TPM directly, you can use--swtpm orexport AGE_TPM_SWTPM=1 to create a identity backed byswtpm which will be stored under/var/tmp/age-plugin-tpm.

Note thatswtpm provides no security properties and should only be used fortesting.

Installation

The simplest way of installing this plugin is by running the follow go command.

go install github.com/foxboron/age-plugin-tpm/cmd/age-plugin-tpm@latest

Alternatively download thepre-built binaries.

Usage

# Create identity$ age-plugin-tpm --generate -o age-identity.txt$ age-plugin-tpm -y age-identity.txt> age-recipient.txt# Encrypt / Decrypt something$echo'Hack The Planet!'| age -R age-recipient.txt -o test-decrypt.txt$ age --decrypt -i age-identity.txt -o - test-decrypt.txtHack The Planet!

You can add--pin when calling--generate to require a PIN when encrypting or decrypting.

When used non-interactively

If you want to use a--pin non-interactively, you can use theAGE_TPM_PIN environment variable.Please be aware that environment variables are not secure, and can be read from/proc/$PID/environ.

# Create identity$ AGE_TPM_PIN=1234 age-plugin-tpm --generate --pin -o age-identity.txt$ age-plugin-tpm -y age-identity.txt> age-recipient.txt# Encrypt / Decrypt something$echo'Hack The Planet!'| age -R age-recipient.txt -o test-decrypt.txt$ AGE_TPM_PIN=1234 age --decrypt -i age-identity.txt -o - test-decrypt.txtHack The Planet!

Commands

An age identity can be created with:

$ age-plugin-tpm --generate -o age-identity.txt# Created: 2023-07-05 22:38:36.362043774 +0200 CEST m=+0.110154231# Recipient: age1tpm1qg86fn5esp30u9h6jy6zvu9gcsvnac09vn8jzjxt8s3qtlcv5h2x287wm36AGE-PLUGIN-TPM-1QYQSQLSQYZJN56KJ4WHGP676AW248W7Z3KE7JRP8HWGGTW98CX955U9NCV4G2QQS828ZMZNQLLC57QU037ELMLA0RR56SM35HLJAFHKY0EH7J62SYJLX3YFULEE7AQJR0DJX7D33HRKWRYHNXFN0TRS45MKUHZGRU3K3EPRUSGSWWV07K2PKTFF79YVACDZSVEKAYY4GEAM6DRNQQPTQQGCQPVQQYQRJQQQQQYQQZQQQXQQSQQSQLFXWNXQX9LSKL2GNGFNS4RZPJ0HPU4JV7G2GEV7ZYP0LPJJAGEGQYQE8GSEC0GWWDVKAFT04QTJWCU3T2KYVXGER35FVMHEY0ZDGEHC4C0EXJ8Y

To display the recipient of a given identity:

$ age-plugin-tpm -y age-identity.txtage1tpm1qg86fn5esp30u9h6jy6zvu9gcsvnac09vn8jzjxt8s3qtlcv5h2x287wm36

License

Licensed under the MIT license. SeeLICENSE orhttp://opensource.org/licenses/MIT

[8]ページ先頭
©2009-2025 Movatter.jp