salrashid123

postgres mtls authenticaiton with private key inside a Trusted Platform Module (TPM

Basic example of using mTLS authentication for PostGres but where the private key for TLS is sealed into a Trusted Platform Module (TPM).

More generally, this procedure is applicable to any Postgres system with mTLS enabled. The specific example is for Google CloudSQL.

mTLS for CloudSql is described here in authorize-ssl with a flow where you download client certificates.

once you you have the client certificate you, there are many ways to securely transfer this key over to the TPM. (eg described at oauth2.TpmTokenSource).

salrashid123

Google Cloud SQL IAM with service account private key inside Trusted Platform Module (TPM)

Google Cloud Cloud SQL IAM Authentication with private keys on Trusted Platform Module (TPM)

This procedure will basically seal a GCP Service Account's private key into a TPM and use that for IAM authentication.

The basis for this is described at oauth2.TpmTokenSource

The flow below assumes you are using option A as described above (i.e, you're going to directly load the private key into the TPM)

salrashid123

Prevent Chained duplication from A -> B -> C using tpm2_policyduplicationselect

This procedure will transfer an HMAC key created inside TPM-A to TPM-B but prevent TPM-B to transfer it to TPM-C.

Basically, and extension of As an end-to-end example, the following will transfer an RSA key generated on TPM-A to TPM-B but using tpm2_policyduplicationselect tp prevent further duplication

Step 1 below will transfer a key from A->B, step 2 attempts B->C but is prevented duplication on B by policy

• also see Chained duplication from A -> B -> C tpm2_policycommandcode

salrashid123

Chained duplication from A -> B -> C tpm2_policycommandcode

This procedure will transfer an HMAC key created inside TPM-A to TPM-B and then to TPM-C using tpm2_policycommandcode

Basically, and extension of As an end-to-end example, the following will transfer an RSA key generated on TPM-A to TPM-B

To use this, you'll need three VMs.

salrashid123

package main

import (
	"encoding/base64"
	"fmt"

	"go.dedis.ch/kyber/v3/pairing/bn256"
	"go.dedis.ch/kyber/v3/share"
	"go.dedis.ch/kyber/v3/sign/bls"
	"go.dedis.ch/kyber/v3/sign/tbls"

salrashid123

package main

import (
	"fmt"
	"io/ioutil"
	"log"

	"context"

	"cloud.google.com/go/storage"

salrashid123

package main

import (
	"bytes"
	"crypto"
	"crypto/rsa"
	"crypto/sha256"
	"crypto/x509"
	"encoding/json"
	"encoding/pem"

salrashid123

parsing the os-inventory metadata server struct

if you have os-inventory enabled, you can get the values on the VM itself by running

curl -s -H 'Metadata-Flavor: Google'  http://metadata.google.internal/computeMetadata/v1/instance/guest-attributes/guestInventory/InstalledPackages

parse the values using
(you can ofcourse otherwise get the packages via api

salrashid123

sample procdure to encrypt a service account rsa key GCP such that it is loadable on specific TPMs

this procedure will save the key reference to non-volatile memory which will persist through powercycles.

however, there are limited nv slots avaiable (7 per tpm i think).

long term is to allow is to allow full persitence via go-tpm-tools Allow persistence client.Key() and move away from nvram slots

also see

salrashid123

package main

import (
	"context"
	"fmt"
	"log"
	"syscall"
	"time"

	// "github.com/containerd/cgroups/v3"