We'll need to extend a PCR so that we can encrypt our GPG key. We'll arbitrarily choose PCR number 9. First let's view the PCR status to be sure that it is blank:
cat /sys/class/misc/tpm0/device/pcrs | grep PCR-09
This should return the current state of the PCR, which without using secure boot is:
PCR-09:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Now, run the getgpgpin program from the following section. You should see the LED turn green on the CryptoCape and you have 10 seconds to enter a five-digit pin. Each time you press a key, the LED should briefly flash and when five digits have been entered, the LED will turn off. After 10 seconds, the getgpgpin program will silently exit. If you compiled the program with #define DEBUG set to 1, you should see something like this:
54321 (Line 53, extend_pcr) Create a Context returned 0x00000000. Success. (Line 55, extend_pcr) Connect to TPM returned 0x00000000. Success. (Line 59, extend_pcr) GetTPM Handle returned 0x00000000. Success. (Line 62, extend_pcr) Owner Policy returned 0x00000000. Success. 36987(Line 73, extend_pcr) extend returned 0x00000000. Success.
Now, check your PCR status again:
cat /sys/class/misc/tpm0/device/pcrs | grep PCR-09
You should now have a populated PCR9:
PCR-09:2B 1E 41 10 EB A0 91 9E B4 89 0E 04 83 0B 70 C5 C2 AA 23 44
You can only enter the code once. If you try it again, the program will extend PCR9 again using the now incorrect PCR state as input into the next. Now, let's seal our GPG secret key ring:
tpm_sealdata -p 9 -i secring.gpg -o secring.gpg.tpm -z -l debug
You can remove -l debug if you wish and the command will silently complete. Let's test decryption:
tpm_unsealdata -i secring.gpg.tpm -o deleteme -z
It should silently complete on success. You can now delete the temporary file deleteme and the original secring.gpg. You did make an encrypted backup, right? You'll probably want to delete the file in a more secure fashion. The secure remove tool srm does just that and overwrites the file numerous times before deleting. To install use the following command:
sudo apt-get install secure-delete
Then use just as you would rm.
Note
Bunnie Huang and Sean Cross (also known as xobs) presented a talk at the 30th Chaos Communication Congress (30C3) on hacking SD cards. Your SD or eMMC includes a small microcontroller that manages the attached flash memory. This microcontroller is perfectly situated to act as a Man-in-the-Middle attacker and manipulate the data you store on the device. For example, the microcontroller could keep a backup copy of your data since it would report to your computer a storage capacity of 8GB, but actually it contains a 16 GB flash chip. More information can be found on Bunnie's blog at http://www.bunniestudios.com/blog/?p=3554.