gpg and TPM

mailinglisten at posteo.de mailinglisten at posteo.de
Fri May 14 18:47:48 CEST 2021


Am 14.05.21 um 08:46 schrieb Raja Saha:
> Hi,
> 
> I was reading about Debian UEFI and secure boot. If tpm isn't secured
> at boot, will that make tpm less secure than key pair where user puts a
> strong password?

Technically, secure boot and TPM are 2 different things.
You can use secure boot without TPM.

If you want to use a TPM protected gpg key, you must *not* set a TPM
owner password! When you set a TPM owner password, the GnuPG command
keytotpm will not work! I think this is not a big deal, because the TPM
protected key has its own password when you create it.
Maybe in the future we can set a TPM owner password and use GnuPG with
TPM protected keys, but now you can´t set a TPM password and use GnuPG
with it, unfortunately. But I think, this is not a real risk. First the
gpg key has its  own password and second, an attacker is never able to
retrieve the they key from the TPM.

regards




More information about the Gnupg-users mailing list