Does the secure enclave need to be built into the main CPU though? A key store on a USB stick or on a TPM will never allow your keys to be exfiltrated, yet it's not part of the CPU, and it's even removable.
Such devices are called FIDO keys. But they work only if the service you're accessing also supports it. I don't even know whether there is consumer hardware that supports an external TPM for boot image verification and hard drive decryption.
A plain USB stick is not a secure place for a keystore as a compromised kernel could trivially copy it and send it somewhere else for cracking.
> Such devices are called FIDO keys. But they work only if the service you're accessing also supports it.
That’s not quite true. The (web) service I’m accessing doesn’t communicate with my FIDO keys — there’s my browser in the middle. The service has no way to know whether my browser is talking with a hardware token or emulating one, and it is not privy to the details of how my browser communicates with my token.
If my browser supports FIDO on the network end, and my hardware token on the other end, it works. Now I’m guessing right now only relatively mainstream stuff like Yubikeys are supported out of the box, but support for say, the TKey (https://tillitis.se/products/tkey/), is likely only a browser extension away.
samus|2 years ago
A plain USB stick is not a secure place for a keystore as a compromised kernel could trivially copy it and send it somewhere else for cracking.
loup-vaillant|2 years ago
That’s not quite true. The (web) service I’m accessing doesn’t communicate with my FIDO keys — there’s my browser in the middle. The service has no way to know whether my browser is talking with a hardware token or emulating one, and it is not privy to the details of how my browser communicates with my token.
If my browser supports FIDO on the network end, and my hardware token on the other end, it works. Now I’m guessing right now only relatively mainstream stuff like Yubikeys are supported out of the box, but support for say, the TKey (https://tillitis.se/products/tkey/), is likely only a browser extension away.
rhn_mk1|2 years ago