Safeguarding your keys in a TPM

TPMs (Trusted Platform Modules) are beneficial for storing private keys due to their hardware-based security features, which offer robust protection against various forms of cyber attacks. Additionally, TPMs provide a secure environment isolated from the main operating system, enhancing the confidentiality and integrity of stored private keys.

This post assumes familiarity with Connext with Security Plugins. If you’re new to implementing security with Connext, check out the Getting Started Guide.

Connext 7.3.0 adds support for OpenSSL providers, which includes the tpm2-openssl provider, allowing you to use a TPM with OpenSSL. This means that Connext applications can use the TPM provider to safeguard their private keys.

Here’s how you do this:

  1. Install the TPM2 OpenSSL provider from https://github.com/tpm2-software/tpm2-openssl. This repository contains instructions for installing on Linux & Windows.
  2. Configure OpenSSL to use the provider (along with the default provider) by modifying your openssl.cnf file to enable the providers. You can modify the configuration file that comes with an RTI OpenSSL target bundle found in
    $NDDSHOME/third_party/openssl-<version>/$ARCH/release/openssl.cnf. Starting on line 53:
    [openssl_init]
    providers = provider_sect
    # List of providers to load
    [provider_sect]
    default = default_sect
    tpm2 = tpm2_sect
    
    # If no providers are activated explicitly, the default one is activated implicitly.
    # See man 7 OSSL_PROVIDER-default for more details.
    #
    # If you add a section explicitly activating any other provider(s), you most
    # probably need to explicitly activate the default provider, otherwise it
    # becomes unavailable in openssl.&nbsp; As a consequence applications depending on
    # OpenSSL may not work correctly which could lead to significant system
    # problems including inability to remotely access the system.
    [default_sect]
    activate = 1 
    [tpm2_sect]
    activate = 1
    

  3. Set environment variables. To load providers, you must set two of them:
    • Set OPENSSL_CONF to the path and filename of the configuration file you constructed (e.g. $NDDSHOME/third_party/openssl-<version>/$ARCH/release/openssl.cnf)
    • Set OPENSSL_MODULES to the path (without filename) that contains the providers you want to load. In this case, set it to the directory where tpm2.dll or tpm2.so is located.
  1. Verify that OpenSSL is loading the providers with the following command. It should print both the default provider and the tpm2 provider if everything is configured correctly.
    openssl list -providers
    
  2. Generate keys with the TPM provider using OpenSSL. The following commands use the .cnf files from the Getting Started Guide.
    openssl req -nodes -x509 -provider tpm2 -propquery "'?provider=tpm2'" -days 1825 -sha256 -text -newkey rsa -keyout rsa01RootCaKey.pem -config rsa01RootCa.cnf -out rsa01RootCaCert.pem
    
    openssl req -provider tpm2 -nodes -new -newkey rsa -keyout rsa01Peer01Key.pem -config rsa01Peer01.cnf -out rsa01Peer01Cert.pemTemporaryRequestFile -propquery "'?provider=tpm2'"
    
    openssl x509 -req -provider tpm2 -days 1825 -text -CA rsa01RootCaCert.pem -CAkey rsa01RootCaKey.pem -set_serial 0x152E350297E7A989B564A7A22E885726D550A534 -in rsa01Peer01Cert.pemTemporaryRequestFile -out rsa01Peer01Cert.pem -propquery "'?provider=tpm2'"    
  3. Configure your Connext application to use the generated keys through QoS
For more information, see the 7.3.0 User Manual page on providers here.