In my last blog post I described how to set up SSH with TPM-protected keys. This time I'll try to explain how it works.
The SRK is a public key pair that is the main secret inside the TPM chip. It is always generated by the chip, and the private key cannot be read or migrated.
In order to use the SRK key with any operation, the SRK password must be supplied. The SRK password is just an access password. It's not related to the key itself. The SRK password is usually set to the Well Known Secret (20 null characters), or sometimes the empty string, or something silly like "12345678".
There is not much point in having a good SRK password, since you probably have to store it on disk somewhere anyway, to allow TPM operations by daemons.
If you want a password then you probably want to set that per key, not chip-wide like the SRK password is.
stpm-keygen binary asks the TPM to generate a key, and the TPM
hands back the public portion of the key, and a "blob" that has no meaning to
anyone except the TPM. The blob is encrypted Continue reading