TPM operations in v2.3

Andrew Savchenko andrew at
Sun Apr 11 03:22:36 CEST 2021

Hello GnuPG,

Just read about the v2.3 release; TPM feature is straight from the "dreams
come true" category, massive update!

Two questions:

1. When the key is unsealed, which PCRs registers are queried to ensure that 
   measurements are the same as when the key was sealed?
2. Is there ability to change which PCRs are used during the `keytotpm` phase?

My very generic understanding of the process, please correct if the 
assumptions below are false:

1. Key is generated on the target host

2. Key is sealed in TPM using user-supplied password and PCR registers

P.S. At the beginning of the blog-post, James says: " the ability to use
     a TPM 2.0 (which comes with all reasonably recent laptops) to protect all
     the private keys".
     This can be changed to "reasonably recent anything", as these days TPMs
     can be found in desktops, servers and CPUs. Either fTPM or dTPM, all 
     conforming to TPM v2.0 standard.


More information about the Gnupg-users mailing list