# Key management

Can generate keys internally, and export them.

* Public keys can be exported unprotected.
* Private keys can be exported protected. Wrapped.

Can import keys, previously exported by itself, produced by others.

## TPM as a key cache

Many times keys must be used within the TPM-confined environment, but the TPM resources should not limit their number.

Solution:

* Off-load keys to external repositories (wrapped)
* Import keys of interest
* Use cached keys
* Clear cached keys from TPM

## Key trees (aka key hierarchies)

Sequence of keys.

* Starting from a top-most, primary key
* Hierarchies can have several key trees

Primary keys are generated from hierarchy seeds and a public template:

* Algorithm, key size, policy, usage.
* Arbitrary data (kind of label).

The key derivation is idempotent.

* Same seed, same template -> same key.

### Storage keys

<figure><img src="https://234178705-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlSLj4wxc6NsT415otBid%2Fuploads%2FFsVOXZoPFBtfRJzW28Ue%2F2024-06-02_18-38.png?alt=media&#x26;token=dd3412ab-363a-4d56-81cc-aeb47479cb82" alt=""><figcaption></figcaption></figure>

Keys that encrypt keys.

* A storage key is a parent of a child's key.
* It can be used to wrap the child key.
  * For exporting it.

They cannot be used for arbitrary decryption.

* It could compromise wrapped child keys.

### Changing seeds

Different seed -> different key tree, the previous one is naturally flushed.

This should not happen to the endorsement seed.

* Because endorsement keys are pre-certified by the TPM manufacturer.
* Getting the certification again is complex.
* Can only be changed by the platform builder (OEM).
  * This is not an issue for the platform owner.
  * New keys can always be created with different templates.

### Endorsement primary keys

Need to be certified by the TPM manufacturer.

* The TPM manufacturer uses it to generate candidate primary keys.
  * Using well-defined templates.
* The public keys are exported and certified.
  * The manufacturer keeps the certificates.
* The keys are removed from the TPM.
  * The TPM keeps the seed that allows the recreation of keys with the same templates used by the manufacturer.

## Key duplication

Copy of a key into a different hierarchy. It continues to exist in its original place.

Primary keys cannot be duplicated

* Because they cannot be wrapped.
* They are generated from a seed.
  * And a template.

Duplication of parent keys can duplicate their children.

* Duplication group.

## Key attributes

### Type

* Symmetric
* Asymmetric

### Usage

* Signing
* Encryption
* Decryption

### User restrictions

* Restrict signing
  * Attestation
* Restrict decryption
  * Storage

### Duplication restrictions

* Fixed TPM
  * Cannot be duplicated
* Fixed parent
  * Can only be duplicated under a duplicated parent


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://davidjosearaujo.gitbook.io/notes-mcs/secure-execution-environments/tpm-trusted-platform-module/key-management.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.