You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I want to implement an additional layer of encryption with a tpm crypted password.
Think I could do a dirty hack it into decrypt/encrypt function of SP\Core\Crypt
with something like this
$tpmpass=exec('/usr/bin/tpm_unsealdata -i /var/www/syspass/pass.crypt.tpm -z'); //tpm crypted password - key only in tpm chip
$data=base64_encode(openssl_encrypt($data,$chiper,$tpmpass,$iv...
$tmppass=null;
unset($tmppass);
return Crypto::encrypt((string)$data, $key);
and do the reverse into the decrypt function
But if the decrypt / encrypt functions accessible in the plugins - than additional layer of encryption with plugins like TPM or something other (crypt over tcp or hardware solution) would be much much nicer
Reason is simple it is more secure with additional layer (tpm or other solutions) in an tech environment with skilled employer around.
Now syspass is secure as long no one takes the database + his login or masterpass out of office..
With tpm the employer needs the hardware too (or the cleartext password of the pass.crypt.tpm on the paper somewhere in the safe)
Sure the tpm password is short stored in ram of Webserver but that's another level..
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi,
I want to implement an additional layer of encryption with a tpm crypted password.
Think I could do a dirty hack it into decrypt/encrypt function of SP\Core\Crypt
with something like this
$tpmpass=exec('/usr/bin/tpm_unsealdata -i /var/www/syspass/pass.crypt.tpm -z'); //tpm crypted password - key only in tpm chip
$data=base64_encode(openssl_encrypt($data,$chiper,$tpmpass,$iv...
$tmppass=null;
unset($tmppass);
return Crypto::encrypt((string)$data, $key);
and do the reverse into the decrypt function
But if the decrypt / encrypt functions accessible in the plugins - than additional layer of encryption with plugins like TPM or something other (crypt over tcp or hardware solution) would be much much nicer
Reason is simple it is more secure with additional layer (tpm or other solutions) in an tech environment with skilled employer around.
Now syspass is secure as long no one takes the database + his login or masterpass out of office..
With tpm the employer needs the hardware too (or the cleartext password of the pass.crypt.tpm on the paper somewhere in the safe)
Sure the tpm password is short stored in ram of Webserver but that's another level..
fg
Beta Was this translation helpful? Give feedback.
All reactions