sample procdure to encrypt a service account rsa key GCP such that it is loadable on specific TPMs
this procedure will save the key reference to non-volatile memory which will persist through powercycles.
however, there are limited nv slots avaiable (7 per tpm i think).
long term is to allow is to allow full persitence via go-tpm-tools Allow persistence client.Key() and move away from nvram slots
also see
for each TPM, get the ekCert and extract the public key (or just get the ekPub)
# if using GCE
gcloud compute instances get-shielded-identity instance-2 --format="value(encryptionKey.ekPub)"
# if you have the ekcert
openssl x509 -pubkey -noout -in ekcert.pem > ekpub.pemor if you are on the mahine with the target TPM you can get the ekPublic key using tpm2_tools:
# if using tpm2_tools
tpm2_createek -c primary.ctx -G rsa -u ek.pub -Q
tpm2_readpublic -c primary.ctx -o primary.pub
tpm2_readpublic -c primary.ctx -o ekpub.pem -f PEM -Q
# if using go-tpm-tools, its
### https://github.com/salrashid123/tpm2/blob/master/gcp_ek_ak/main.go#L94-L111gcloud iam service-accounts keys list [email protected]
KEY_ID CREATED_AT EXPIRES_AT DISABLED
71b831d149e4667809644840cda2e7e0080035d5 2023-08-24T19:57:32Z 9999-12-31T23:59:59Z <<<<<<<<<<<<<<<<<<<<<<<<note the svc account key is formatted as an RSA PRIVATE KEY (this is just because the implementation i have...)
$ cat /tmp/key_rsa.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA6ila7sGempkwfThV8DqjZJe2WsYdIw9QF25w/br55NM9fLRjeg
cat svc_account.json | jq -r '.private_key_id'
71b831d149e4667809644840cda2e7e0080035d5
cat svc_account.json | jq -r '.private_key' > f.key
openssl rsa -out /tmp/key_rsa.pem -traditional -in f.key $ git clone https://github.com/salrashid123/gcp_tpm_sealed_keys
$ go run asymmetric/seal/main.go \
--rsaKeyFile=/tmp/key_rsa.pem \
--sealedOutput=sealed.dat \
--ekPubFile=/tmp/ek.pem \
--v=10 -alsologtostderr
then copy sealed.dat to vm
scp sealed.dat to vm$ git clone https://github.com/salrashid123/gcp_tpm_sealed_keys
$ go run asymmetric/import/main.go --importSigningKeyFile=/tmp/sealed.dat --persistentHandle=0x81008001 --bindPCRValue=23 --flush=all --v=2 -alsologtostderr --evict=false
I0825 18:51:28.375322 5654 main.go:52] ======= Init importSigningKey ========
I0825 18:51:28.411068 5654 main.go:87] ======= Loading EndorsementKeyRSA ========
I0825 18:51:28.419475 5654 main.go:94] ======= Loading sealedkey ========
I0825 18:51:28.419722 5654 main.go:105] ======= Loading ImportSigningKey ========
I0825 18:51:28.481885 5654 main.go:148] ======= Signing Data with Key Handle ========
I0825 18:51:28.490727 5654 main.go:210] Test Signature: yt5tjN+idFUrJk1+Z3nSErlIp9BImGpFF+xPzB1x+gpx+6TI7H0+TsAglHBF0SKvxoLIM1yVpAW8/XFwj1ywmwJt7Uo99SuIKp/ignNvwfk+NKspI7CZFw70RbGdBEbWiYLbiQqV09Or3K8kStX9mudGlSdbD4UBNTYMt67lyXFV7CW8aqyKw4R0LKq8WVRW3q8kolowwmFeG3YkwpiVtZGrr30t9Jwbfkpmk7nS4UdupgzbJGU2WgSCL0dwrUwtDKvAw5g/wrT+PDbd4ahaDuvTaxLYftMSWz4dj+C//3AwDOdziaWPe52KbPoBcLAiuYpORUhD+6w6UtjYgVzn3A==# tpm2_getcap handles-persistent
- 0x81008000
see code at
# go run main --persistentHandle=0x81008000 -serviceAccountEmail="[email protected]" -keyId=71b831d149e4667809644840cda2e7e0080035d5
2023/08/25 19:25:45 ======= Init ========
2023/08/25 19:25:45 Token: ya29.c.b0Aaek...
2023/08/25 19:25:45 core-eso-bucket
2023/08/25 19:25:45 core-eso_cloudbuild