gpg and TPM

mailinglisten at mailinglisten at
Fri May 14 18:40:27 CEST 2021

Am 13.05.21 um 23:03 schrieb Damien Goutte-Gattat:
> On Tue, May 11, 2021 at 02:03:21PM +0000, mailinglisten at wrote:
>> I´m not that familiar with the TPM in general
> Me neither.
>> is the TPM owner (and SRK) password safe against brute force attacks?
>> Or do you need a complex password for the TPM?
> My understanding is that the TPM offers the *possibility* to protect
> against brute force attacks (through the “dictionary attack lockout
> reset” mechanism), but I am not sure whether that protection is enabled
> by default or if the tpm2daemon (the new component within GnuPG in
> charge of using the TPM) makes use of it.
> Until I know more, I use with my TPM stronger PINs than what I normally
> use with my OpenPGP tokens, just in case. :)

Your concerns are true, TPM protected keys, created by GnuPG are not
brute force protected, a quote from James Bottomley:

"The TPM includes what’s called dictionary lockout protection, so if too
many incorrect passwords are entered, it will enter a dictionary attack
timeout phase before it lets you try a new one. The TPM owner can set
the timeout parameters for this. Note that you can defeat this by
specifying the NODA flag in a TPM key, which means “don’t use dictionary
attack protection for this key”. GnuPG keys are currently created with
this flag set, so you need strong passwords for them"

I wonder, if the dictionary protection can be enabled at a later point
of time.... it would greatly ease the use of the key if you just need a
short PIN.

Another point is, you can´t set an owner password for the TPM, if you do
so, GnuPG can´t access the TPM and you can´t use the keytotpm command.
According to James, GnuPG currently has no mechanism to ask for a
possibly set TPM owner password.

After all, the whole things works, but still requires some fine tuning
here and there, but TPM protected gpg keys really is a great thing and
fun to play with.

Finally the TPM is something good for in a Unix box ;-)
(besides using the hardware RNG which I already did before)

best regards

More information about the Gnupg-users mailing list