[PATCH tpm-work 0/3] move the tpm-work branch to an assuan based tpm handling daemon
wiktor at metacode.biz
Tue Jul 31 09:31:42 CEST 2018
> The difficulty I have with adding PCR policy to TPM protected gpg keys
> is that PCR policy handling is a very esoteric function and it's
> difficult to see value beyond the current platform locking the TPM
> already does since the user would have to understand when the PCR
> values changed and how to update the keys with new PCR values, which
> would really put a kink in usability.
I agree this is more esoteric and probably not that useful for the
majority of users.
For my use case I'm thinking on full disk encryption with keys copied to
TPM where I'd like it to break if the configuration changes. If I
changed it I would copy the keys again, if I didn't do the configuration
change I'd see it.
One way or another TPM keys are already big improvement for secure
storage of keys so thank you for working on it!
Have a nice day.
More information about the Gnupg-devel