File tree 1 file changed +17
-6
lines changed
1 file changed +17
-6
lines changed Original file line number Diff line number Diff line change @@ -62,20 +62,31 @@ advertisement is stored, or the JSON contents of the advertisement itself. When
6262the advertisement is specified manually like this, Clevis presumes that the
6363advertisement is trusted.
6464
65- #### PIN: TPM2
65+ #### PIN: TPM1 and TPM2
6666
67- Clevis provides support to encrypt a key in a Trusted Platform Module 2.0 (TPM2)
68- chip. The cryptographically-strong, random key used for encryption is encrypted
69- using the TPM2 chip, and is decrypted using TPM2 at the time of decryption to allow clevis to decrypt the secret stored in the JWE.
67+ Clevis provides support to encrypt a key in a Trusted Platform Module 1.2 (TPM1)
68+ and 2.0 (TPM2) chip. The cryptographically-strong, random key used for
69+ encryption is encrypted using the TPM chip, and is decrypted using TPM at the
70+ time of decryption to allow clevis to decrypt the secret stored in the JWE.
7071
71- For example:
72+ For example for TPM1 pin:
73+
74+ ``` bash
75+ $ echo hi | clevis encrypt tpm1 ' {}' > hi.jwe
76+ ```
77+
78+ or TPM2 pin:
7279
7380``` bash
7481$ echo hi | clevis encrypt tpm2 ' {}' > hi.jwe
7582```
7683
7784Clevis store the public and private keys of the encrypted key in the JWE object,
78- so those can be fetched on decryption to unseal the key encrypted using the TPM2.
85+ so those can be fetched on decryption to unseal the key encrypted using the TPM
86+ chip.
87+
88+ Check manual pages for ` clevis-encrypt-tpm1 ` and ` clevis-encrypt-tpm2 ` tools for
89+ more options, like binding to a particular PCR registry states and/or values.
7990
8091#### PIN: Shamir Secret Sharing
8192
You can’t perform that action at this time.
0 commit comments