age-plugin-tpm requires access to the TPM when encrypting

[nbraud]

As far as I understand (from reading the source, as well as having worked with TPM 2.0 itself) the plugin generates identities as TPM-bound NIST P-256 keys, used with ECDH to wrap the age session key.

Assuming this is the case, encrypting to a TPM recipient should only require knowledge of that P-256 point/pubkey, yet age-plugin-tpm attempts to access /dev/tpmrm0 and fails if permission is denied. This is an issue in my usecase in two different ways:

• I'm managing secrets in a distributed environment, so encryption might be done on a system which does not have access to the recipient's TPM, or any TPM at all ;
• unprivileged users should be able to introduce new secrets (i.e. encrypt) without being granted decryption privileges, let alone full access to the TPM device.

[Foxboron]

I'm aware of this issue and mostly just waiting on this to be standardized and implemented in age.

C2SP/C2SP#96

If you want to implement the encryption inside the plugin without a TPM feel free to send patches :)

[nbraud]

Thanks for the swift reply <3

I didn't know about the proposed p256tag keytype, but I agree waiting for upstream to adopt it might be the best solution long-term. There doesn't seem to be much activity on that PR, but hopefully it can happen soon.

[Foxboron]

There doesn't seem to be much activity on that PR, but hopefully it can happen soon.

Filippo will work on this at some point.