Testing tpm2-pkcs11with KVM vTPM 2.0


ID: 931
PHID: PHID-TASK-cne4wrzhrinuxjw27xek
Author: HulaHoop
Status at Migration Time: invalid
Priority at Migration Time: Normal


KVM supports emulated TPM2 hardware and the version in Bullseye gains the ability to encrypt its secrets [0]. tpm2-pk11 [1] is a program that allows protecting OpenSSH and firefox private keys using the TPM. If the package finds a new upstream maintainer we can test it in Debian stable-next with the virtual TPM hardware.

Debian maintainers will move to tpm2-pkcs11 [3]

[0] KVM virtual TPM aka the "Universal Smartcard"

[1] GitHub - irtimmer/tpm2-pk11: [DEPRECATED] PKCS#11 Module for TPM 2.0

[2] Home · irtimmer/tpm2-pk11 Wiki · GitHub

[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941951#10


The above package depends on gnupg-pkcs11-scd which is available in Debian.


only works for TPM 1.2

Opened a RFP for this package which fulfills this ticket in case someone upstream picks it up. https://bugs.debian.org/941951

The upstream TPM2 project is looking at consolidating the multiple code projects out there into an upstream implementation superseding the projects above.



2019-10-07 19:29:21 UTC


2019-10-10 13:47:52 UTC


2023-01-19 10:53:17 UTC