TPM and private key protection

Question

Lets say I create a self-signed certificate in Powershell like this:

New-SelfSignedCertificate -Provider "Microsoft Platform Crypto Provider" -Subject "CN=foobar" -KeyExportPolicy NonExportable -KeyAlgorithm RSA  -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -NotAfter $((Get-Date).AddYears(10))  

The intended use of the certificate is code-signing of powershell scripts.

Because of the fact that the Provider is MS platform crypto provider the keys will be generated by the Trusted Platform Module (TPM) Chip embedded in my motherboard.

The private key is thus now stored in the "black-box" TPM. So is there any need to wrap / password-protect the private key?

Answer 1

Any key created by a TPM is already wrapped, either by:

• The storage root key for TPM 1.2, or
• One of the primary keys indicated as the key's parent for TPM 2

So the key is wrapped by one of the root keys at the time of creating the key, and there is nothing special you have to do to make it happen. In fact, you cannot make it not happen.

The root keys themselves are guaranteed by the TPM spec to never leave the TPM. If you want to guarantee that your newly generated key will never leave the TPM either, make it non-migrateable.

In addition, you can also make any of the aforementioned keys password-protected. Whether or not you do that depends on your specific requirements. Keep in mind however that the TPM spec is not focused on protecting against physical attacks, so if you lose physical access to your machine you should probably consider it compromised.