OpenConnect supports the use of private keys secured or "wrapped" by a TPM. -These keys appear in the form of a PEM file marked with the tag: -
-----BEGIN TSS KEY BLOB------These files can be created by the create_tpm_key tool which is -part of the -OpenSSL -TPM ENGINE or the tpmtool which is part of the GnuTLS distribution. +
OpenConnect supports the use of private keys secured or "wrapped" +by a TPM. Instead of being stored inside the trusted hardware as with +typical PKCS#11 keys, the key is encrypted by the TPM and handed back +to the user to be saved in a PEM file. Only the same TPM can decrypt +the file, and use the private key.
Use of TPM-wrapped keys is entirely transparent with GnuTLS. If built with TPM support, OpenConnect will automatically use the TPM when presented with an approprate PEM file with a TPM-wrapped key.
-For OpenSSL, the TPM ENGINE must be installed correctly on the system, +
For OpenSSL, the appropriate TPM ENGINE must be installed correctly on the system, and OpenConnect will load and use it automatically when appropriate.
+TPM v1 wrapped keys are supported with both OpenSSL and GnuTLS builds of OpenConnect. + +These keys appear in the form of a PEM file marked with the tag: +
-----BEGIN TSS KEY BLOB-----+These files can be created by the create_tpm_key tool which is +part of the +OpenSSL +TPM ENGINE or the tpmtool which is part of the GnuTLS distribution. + +
There are, unfortunately, two incompatible ENGINE implementations available for TPM v2 with OpenSSL. + +For openssl_tpm2_engine the PEM file has the tag: +
-----BEGIN TSS2 KEY BLOB-----+The tpm2-tss-engine uses a different PEM tag: +
-----BEGIN TSS PRIVKEY BLOB v1-----+ +Both of these OpenSSL engines can be used by OpenConnect if they are installed. + +
GnuTLS support for TPM v2 has not yet been implemented but is being worked on.
+