Simple pkcs11 provider for tpm chips
simple-tpm-pk11 Is a PKCS11 provider for TPM chips. Its primary purpose is to protect SSH client keys so that they can\(cqt be copied or stolen if the machine they\(cqre on gets compromised.
Since PKCS11 modules are .so files loaded by other binaries, they don\(cqt take command line options. Instead simple-tpm-pk11 options can be set up environment variables.
If set, enables debug level logging.
Override default config location. Default is ~/.simple-tpm-pk11/config.
If set, copies all log output to STDERR.
Configuration options are of the key/value variety, with comments lines starting with "#".
Full path to key file, or relative to ~/.simple-tpm-pk11. This the only required configuration option.
Enable debug level logging.
Set SRK PIN. Default is the Well Known Secret (20 nulls).
Set key PIN.
Full path to log file, or relative to ~/.simple-tpm-pk11.
# Load key from ~/.simple-tpm-pk11/my.key. key my.key # Load key from /keys/foo/my.key, and the empty string as SRK PIN. key /keys/foo/my.key srk_pin
Most errors will probably be related to interacting with the TPM chip. Resetting the TPM chip and taking ownership should take care of most of them. See the TPM-TROUBLESHOOTING section.
The password is read from stdin without turning off echo. It should be read from the terminal without echo.