| 16 Jul 2021 |
 andi- | perhaps the TPM needs the current time? | 20:01:31 |
 @grahamc:nixos.org | TPM2_PT_PERSISTENT:
ownerAuthSet: 0
endorsementAuthSet: 0
lockoutAuthSet: 0
reserved1: 0
disableClear: 0
inLockout: 0
tpmGeneratedEPS: 0
reserved2: 0
| 20:01:36 |
| @grahamc:nixos.org | * [nix-shell:~]#
TPM2_PT_PERSISTENT:
ownerAuthSet: 0
endorsementAuthSet: 0
lockoutAuthSet: 0
reserved1: 0
disableClear: 0
inLockout: 0
tpmGeneratedEPS: 0
reserved2: 0
| 20:01:50 |
| @grahamc:nixos.org | * [nix-shell:~]# tpm2 getcap properties-variable
TPM2_PT_PERSISTENT:
ownerAuthSet: 0
endorsementAuthSet: 0
lockoutAuthSet: 0
reserved1: 0
disableClear: 0
inLockout: 0
tpmGeneratedEPS: 0
reserved2: 0
| 20:02:03 |
| andi- | $ tpm2 getcap properties-variable
TPM2_PT_PERSISTENT:
ownerAuthSet: 0
endorsementAuthSet: 0
lockoutAuthSet: 0
reserved1: 0
disableClear: 0
inLockout: 0
tpmGeneratedEPS: 1
reserved2: 0
TPM2_PT_STARTUP_CLEAR:
phEnable: 1
shEnable: 1
ehEnable: 1
phEnableNV: 1
reserved1: 0
orderly: 1
TPM2_PT_HR_NV_INDEX: 0x0
TPM2_PT_HR_LOADED: 0x0
TPM2_PT_HR_LOADED_AVAIL: 0x3
TPM2_PT_HR_ACTIVE: 0x0
TPM2_PT_HR_ACTIVE_AVAIL: 0x40
TPM2_PT_HR_TRANSIENT_AVAIL: 0x6
TPM2_PT_HR_PERSISTENT: 0x0
TPM2_PT_HR_PERSISTENT_AVAIL: 0x7
TPM2_PT_NV_COUNTERS: 0x0
TPM2_PT_NV_COUNTERS_AVAIL: 0x19
TPM2_PT_ALGORITHM_SET: 0x0
TPM2_PT_LOADED_CURVES: 0x3
TPM2_PT_LOCKOUT_COUNTER: 0x0
TPM2_PT_MAX_AUTH_FAIL: 0x3
TPM2_PT_LOCKOUT_INTERVAL: 0x3E8
TPM2_PT_LOCKOUT_RECOVERY: 0x3E8
TPM2_PT_NV_WRITE_RECOVERY: 0x0
TPM2_PT_AUDIT_COUNTER_0: 0x0
TPM2_PT_AUDIT_COUNTER_1: 0x0
| 20:24:59 |
| andi- | did yours report less or did you just stop copying? | 20:26:05 |
| @grahamc:nixos.org | stopped copying | 20:33:52 |
| @grahamc:nixos.org | my guess is that because I haven't set a lockoutauth it isn't decrementing for some reason | 20:34:01 |
|  @colemickens:matrix.org joined the room. | 22:07:58 |
| 17 Jul 2021 |
 @mic92:nixos.dev | In reply to @andi:kack.it
Mic92: are you aware of a password manager that uses pkcs11 and isn't using GPG? Age is still not able to do that IIRC. No. What praticial security would it provide for users though to use TPM in this case? | 04:50:08 |
| @mic92:nixos.dev | Right now you type in a password to decrypt a symmetric key. With TPM i guess you would type in a key to unlock the TPM, which unlocks your symmetric key fro the password? | 04:50:56 |
| andi- | In reply to @mic92:nixos.dev
Right now you type in a password to decrypt a symmetric key. With TPM i guess you would type in a key to unlock the TPM, which unlocks your symmetric key fro the password? The key never exists in memory and the TPM could ensure that the device-specific secret for the password manager only ever works on this machine when you boot a trusted system (your bootloader, kernel, ...). | 07:58:27 |
| andi- | So the boot (+password) would unlock the TPM and then each and every password you'd decrypt using the TPM instead of a derived key in memory. | 07:59:04 |
| @mic92:nixos.dev | Ok, for device specific credentials this might be helpful but not the classic password manager that is synched across devices. | 08:01:07 |
| andi- | Why not? Right now I encrypt my pass database to plenty of GPG keys. One per device and the one on my yubi key | 08:02:19 |
| andi- | IMHO it would just be one more key I encrypt things for | 08:02:42 |
| @mic92:nixos.dev | An attack on the password manager would not look much different if an TPM would be involved I would say | 08:04:45 |
| @mic92:nixos.dev | Passwords need to be at some point in memory | 08:05:43 |
| @mic92:nixos.dev | It's different when you use the yubi key to authenticate remotly against a different system. | 08:06:15 |
| @mic92:nixos.dev | Than you never need to have the key in host memory | 08:06:32 |
| andi- | My threat is more about local code execution stealing keys | 08:09:46 |
| @mic92:nixos.dev | The key for what? | 08:11:03 |
| @mic92:nixos.dev | A second use case for TPM would be second factor auth | 08:15:48 |
| @mic92:nixos.dev | Also interesting: https://github.com/mtth-bfft/tpm-otp | 08:18:28 |
| andi- | In reply to @mic92:nixos.dev
The key for what? The key for the passwords. | 08:47:47 |
| @mic92:nixos.dev | In reply to @andi:kack.it
The key for the passwords. It seems like a small win in security for an increased complexity, since the passwords itself are still in plain | 08:48:57 |
| andi- | Yeah but it defeats all kinds of offline attacks on my password database | 08:49:24 |
| andi- | you can use my entire disk and still have no way to decrypt my passwords. Not even if you also have a memory dump. | 08:49:38 |
| andi- | You only obtain what you can observe me requesting. | 08:50:02 |
| @mic92:nixos.dev | I can imangine for most people the risk of loosing access to all their passwords is higher when their hardware breaks than the added security. | 08:51:56 |
