Using the TPM for cloud based authentication


One Line Summary

Discuss and demo tools for creating private keys offline and securely uploading them to the cloud.


This discussion session will only be about keys and attestation, not about measurement. I’ll also be assuming the container use case, so there’s no need of a vTPM to talk to the physical TPM. I’ll also be talking about TPM 1.2 because that’s what I have to play with.

Cloud Security and Trust is a significant adoption barrier according to the enterprise, so one focus of our research has been using the TPM to lower that barrier. The use case focus is VPNaaS because, for hybrid cloud, a VPN usually has to be established between the cloud and the enterprise.

On the “cloud trust”, the reasonable use case seems to be that the customer trusts the VPN provider somewhat, but doesn’t trust that they won’t get hacked, so the primary defence here is preventing the keys from falling into enemy hands. To that end, a lot of the attestation processes of the TPM can be short circuited by having the cloud provider publish an X509 certified set of storage root keys for their TPMs.

We will present a set of tools for encoding an X509 private key for any given SRK so it can be securely uploaded into the cloud, plus engine code for openssl so openvpn can securely use such a key. Note: we target only the RSA negotiation, not the symmetric key, so the TPM only has one transaction per VPN re-key to process and they occur on a side channel, making the TPM performance largely irrelevant.

Assuming they’re developed in time, we’ll also present a set of tools for attestation (effectively tools for being a privacyCA) so that the really paranoid can have the TPM quote and verify their keys are secure.

Finally, some though has been given to how to protect the authority of the keys, and an authority leasing scheme based on the cloud provider extending a PCR periodically with the current date will be discussed.


  • Photo_james_w800

    James E.J. Bottomley

    IBM Research


    James Bottomley is a Distinguished Engineer at IBM Research where he
    works on Cloud and Container technology. He is also Linux Kernel
    maintainer of the SCSI subsystem. He has been a Director on the Board
    of the Linux Foundation and Chair of its Technical Advisory Board. He
    went to university at Cambridge for both his undergraduate and
    doctoral degrees after which he joined AT&T Bell labs to work on
    Distributed Lock Manager technology for clustering. In 2000 he helped
    found SteelEye Technology, a High availability company for Linux and
    Windows, becoming Vice President and CTO. He joined Novell in 2008 as
    a Distinguished Engineer at Novell’s SUSE Labs, Parallels (later Odin)
    in 2011 as CTO of Server Virtualization and IBM Research in 2016.