Page MenuHomeVyOS Platform

TPM-backed config encryption
In progress, WishlistPublicFEATURE REQUEST

Description

Looking into viability of adding support for TPM-backed encryption of /config data

Various factors to consider:

  • Which PCRs to require to ensure hardware/software integrity (End user configurable?)
  • Handling failed config decryption on boot (Fallback config?)

Details

Difficulty level
Hard (possibly days)
Version
1.4
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Event Timeline

sdev triaged this task as Wishlist priority.
sdev changed Difficulty level from Unknown (require assessment) to Hard (possibly days).
sdev changed Version from - to 1.4.
syncer changed the task status from Open to In progress.Jan 6 2023, 10:04 PM

@sdev take a look over these repository :

https://github.com/stefanberger/swtpm/tree/master

https://github.com/stefanberger/swtpm/wiki

It appears to be the most straightforward and run several virtual environments @Viacheslav @c-po

@fernando See here: https://github.com/vyos/vyos-build/pull/297

Once the new install tools are complete and merged into 1.5, I will update the TPM PRs and mark them ready for review.