Page MenuHomeVyOS Platform
Create Task
Maniphest T4919

TPM-backed config encryption
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Looking into viability of adding support for TPM-backed encryption of /config data

Various factors to consider:

  • Which PCRs to require to ensure hardware/software integrity (End user configurable?)
  • Handling failed config decryption on boot (Fallback config?)

Details

Version
1.5
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Related Objects

Event Timeline

sarthurdev created this task.Jan 6 2023, 7:44 PM
sarthurdev claimed this task.Jan 6 2023, 7:48 PM
sarthurdev triaged this task as Wishlist priority.
sarthurdev edited a custom field.
sarthurdev changed Version from - to 1.4.
syncer changed the task status from Open to In progress.Jan 6 2023, 10:04 PM
c-po awarded a token.Jan 7 2023, 8:36 AM
pasik subscribed.Jan 7 2023, 11:23 AM
sarthurdev added a comment.Jan 7 2023, 12:03 PM

Draft PR: https://github.com/vyos/vyos-1x/pull/1740

Viacheslav added a project: VyOS 1.5 Circinus.Sep 1 2023, 8:07 AM
fernando added subscribers: Viacheslav, c-po, fernando.Sep 6 2023, 1:28 PM

@sdev take a look over these repository :

https://github.com/stefanberger/swtpm/tree/master

https://github.com/stefanberger/swtpm/wiki

It appears to be the most straightforward and run several virtual environments @Viacheslav @c-po

sarthurdev added a comment.Sep 13 2023, 9:35 AM

@fernando See here: https://github.com/vyos/vyos-build/pull/297

Once the new install tools are complete and merged into 1.5, I will update the TPM PRs and mark them ready for review.

fernando added a comment.Sep 13 2023, 4:39 PM

@sdev greats !!!

aga subscribed.Sep 16 2023, 1:42 PM
sarthurdev changed the task status from In progress to Needs testing.Feb 20 2024, 11:49 AM
sarthurdev removed a project: VyOS 1.4 Sagitta.
sarthurdev changed Version from 1.4 to 1.5.
sarthurdev moved this task from Open to In Progress on the VyOS 1.5 Circinus board.
Restricted Repository Identity mentioned this in rVYOSONEX6e7e7842bc1b: Merge pull request #1740 from sarthurdev/tpm_luks.Mar 7 2024, 3:37 PM
sarthurdev mentioned this in rVYOSONEX4a882d3f8dfc: config: T4919: Support copying encrypted volumes during install.Mar 7 2024, 3:37 PM
sarthurdev mentioned this in rVYOSONEX94b2a3a26827: config: T4919: mount/unmount encrypted config on VyOS start/stop.
sarthurdev mentioned this in rVYOSONEX4249473dbaf5: config: T4919: Add support for encrypted config file with TPM.
Embezzle subscribed.Apr 12 2024, 11:00 AM
sarthurdev closed this task as Resolved.Jun 27 2024, 2:15 PM
sarthurdev moved this task from In Progress to Finished on the VyOS 1.5 Circinus board.