FOSDEM 2024 impressions – About Storing Encryption Keys

Since many years, I am interested by computer security, taking essentially a practical and pragmatic point of view. I try to follow the trends as an early adopter, for myself and my computer.

I went to FOSDEM 2024, of course, where I had remarked several talks about security. I have followed, amongst others, two talks that are related to the secure storage of secrets and were inspiring for me. Both were good, easy to understand talks:

1. Using your Laptop TPM as a Secure Key Store: Are we there yet?

   James Bottomley, K.1.105 (La Fontaine), 2024-02-02 14:00
   [See also Frank’s report of this talk.]
2. What is Linux kernel keystore and why you should use it in your next application

   Ignat Korchagin, UB5.132, 2024-02-03 15:00

I have followed those talks, a bit pushed by the question “How could we practically improve the security of our secrets in Linux? Should I use the TPM?”

Here is my very personal conclusion of J. Bottomley’s talk, for a personal use of TPM:

1. TPM bring hardware security but are slow.
2. TPM are complex and difficult to program.
3. The TPM SW stack is only developed by Intel and IBM that have incompatible interpretations of the standard.
4. A computer with TPM is not as secure as it seems because you need to trust the TPM hardware vendor and SW stack vendor, and there are still ways to spy the communications between the CPU and the TPM.
5. TPM limit the crypto algorithms you can use: for ECC, NIST curves are supported, but not Curve 25519.

Here is my very personal conclusion of Korchagin’s talk, for a personal use of kernel keyrings:

1. Impressive!
2. As he showed, storing keys in kernel’s keyrings makes sense: it is better, more secure and more efficient than the ssh-agent and gpg-agent we use today.
3. The kernel and tool implementations are ready, they are even present on my laptop, it is not a future or experimental technology. The keyctl tool exists since about 10 years, it is stable.
4. The way keyrings are associated to users, user sessions, process lifetimes is smart, it allows to protect and delete the keys in an easy and secure way.
5. While the kernel keyrings are usable today for disk encryption, ssh-agent and gpg-agent are not using them yet. Ignat Korchagin has shown patching SSH to use kernel keyrings instead of ssh-agent is easy.

TPM, and in particular TPM 2.0, are useful in many cases, especially for those who need high security, in environments that trust corporations more than the computer admin. Kernel keyrings are especially useful in environments that trust the computer admin.

The TPM and kernel keyrings are not incompatible. The TPM could be the slow, permanent store for secrets. As stated by Ignat Korchagin in its summary, we could secure our keys in two steps: first, store them in the kernel keyrings, then, possibly store them further away, in a TPM, HSM, in a TEE (like ARM’s OP-TEE), or in an enclave, or in a secure element, but keep kernel keyrings’ API as the entry point to retrieve the keys. This would give all the flexibility free software use to give us.

My answer to James Bottomley’s title Using your Laptop TPM as a Secure Key Store: Are we there yet? is No, not yet. And alas, SSH and GPG are not yet there either, even if they are close. I am eager to see the final step.