security/keys/trusted-encrypted.rst

2 Trusted and Encrypted Keys
5 Trusted and Encrypted Keys are two new key types added to the existing kernel
6 key ring service.  Both of these new types are variable length symmetric keys,
7 and in both cases all keys are created in the kernel, and user space sees,
8 stores, and loads only encrypted blobs.  Trusted Keys require the availability
10 Keys can be used on any system.  All user level blobs, are displayed and loaded
13 Trusted Keys use a TPM both to generate and to seal the keys.  Keys are sealed
17 (future) PCR values, so keys are easily migrated to new pcr values, such as
24 By default, trusted keys are sealed under the SRK, which has the default
77 TPM_STORED_DATA format.  The key length for new keys are always in bytes.
78 Trusted Keys can be 32 - 128 bytes (256 - 1024 bits), the upper limit is to fit
81 Encrypted keys do not depend on a TPM, and are faster, as they use AES for
82 encryption/decryption.  New keys are created from kernel generated random
85 disadvantage of encrypted keys is that if they are not rooted in a trusted key,
90 The decrypted portion of encrypted keys can contain either a simple symmetric
167 The initial consumer of trusted keys is EVM, which at boot time needs a high
201 Other uses for trusted and encrypted keys, such as for disk and file encryption
203 in order to use encrypted keys to mount an eCryptfs filesystem.  More details
205 ``Documentation/security/keys/ecryptfs.rst``.
207 Another new format 'enc32' has been defined in order to support encrypted keys