[gnutls-help] Using TPM with PKCS#11 applications

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Dec 5 17:25:41 CET 2013

On Thu, Dec 5, 2013 at 3:53 PM, Thomas Habets <thomas at habets.se> wrote:
> Hi.
> Reading http://www.gnutls.org/manual/html_node/Hardware-security-modules-and-abstract-key-types.html
> I understand the situation to be that GnuTLS has support for TPM chips
> via libtspi,

 The above is correct.

> and GnuTLS supports *using* PKCS#11, but doesn't support
> being used as a PKCS#11 provider. Is that right?

No. GnuTLS doesn't provide a PKCS #11 module.

> I want TPM behind a PKCS11 provider to protect SSH client keys, and
> have written a pkcs11 module that works directly with libtspi. I'm
> trying to find out if GnuTLS has code for this already:
> http://blog.habets.se/2013/11/TPM-chip-protecting-SSH-keys---properly

The trousers library provides a PKCS #11 front-end. I've never managed
to set it up though.
If you are using gnutls I'd suggest to use directly the TPM interface
or simply the TPM urls.


More information about the Gnutls-help mailing list