KVM has recently added virtualized TPM support. They can be very valuable from a security standpoint (and more trustworthy than hardware TPMs). A big thing is they can be used like virtual smartcards providing security like Qubes’ split-gpg but for more types of software keys like OpenSSH, OpenSSL and more.
To summarize in someone else’s words:
TPMs are useful as an alternative to key cards: they provide the same security against key theft and the same cryptographic protections. The main difference is that TPMs are universally present in every laptop, so they provide a simple and ubiquitous solution to key security. The only real downside is that unlike key cards, TPM protected keys cannot be transferred between laptops, you must instead keep an offline backup copy of the key can then be transferred to the TPM of any new laptop.
The way TPM protection works is slightly different from key cards.
Instead of moving the key inside the card, the TPM converts any given key to a TPM specific representation (meaning it’s encrypted by a special key that only the TPM possesses). The TPM represenation must be stored offline somewhere and if it is lost, so is the protected key.
The way I implemented this is to use the TPM to convert the key to
protected representation and then store it in the shadow_info of a
shadowed-private-key using a shadow type of tpm2-v1. The TPM can handle an arbitrary number of keys, but the price is the shadow_info stores the keys and must be preserved.
Patches for GPG support for TPMs has been submitted but I have yet to see what happened. Needs following up for sure so it can make it before the next freeze hopefully.
To be done:
- How to secure OpenSSH keys
- Suggesting Tor supports this for Onion service keys and even session key material if TPM detected.
Contents of TPM can be encrypted in the libvirt version in Bullseye.
This nifty code supports the major applications on TPM 2
* OpenSSH Client (SSH key in TPM) * Firefox (Private key of Client certificate in TPM) * GnuPG using gnupg-pkcs11-scd (PGP key in TPM)