@@ -18,17 +18,17 @@ There are two modes to using this library:
1818
1919 When you encrypt data, it can ONLY get decrypted by that * SAME* TPM:
2020
21- Encrypt:
21+ Encrypt:
2222
23- 1 . generate aead ` key `
24- 2 . ` ciphertext = AEAD_Encrypt( key, plaintext ) `
25- 3 . ` sealed_key = TPM_Seal( key ) `
23+ - ` 1 ` : generate aead ` key `
24+ - ` 2 ` : ` ciphertext = AEAD_Encrypt( key, plaintext ) `
25+ - ` 3 ` : ` sealed_key = TPM_Seal( key ) `
2626
2727
28- Decrypt:
28+ Decrypt:
2929
30- 4 . ` encryptionKey = TPM_Unseal( sealed_key ) `
31- 5 . ` plaintext = AEAD_Decrypt( key, ciphertext ) `
30+ - ` 4 ` : ` encryptionKey = TPM_Unseal( sealed_key ) `
31+ - ` 5 ` : ` plaintext = AEAD_Decrypt( key, ciphertext ) `
3232
3333---
3434
@@ -44,18 +44,18 @@ Decrypt:
4444
4545 Alice shares ` ekPub.pem ` with Bob
4646
47- Encrypt (Bob):
47+ Encrypt (Bob):
4848
49- 1 . generate aead ` key `
50- 2 . ` ciphertext = AEAD_Encrypt( key, plaintext ) `
51- 3 . ` sealed_key = TPM_Seal( key ) `
52- 4 . ` duplicate_key = TPM_Duplicate( EKPub, sealed_key ) `
49+ - ` 1 ` : generate aead ` key `
50+ - ` 2 ` : ` ciphertext = AEAD_Encrypt( key, plaintext ) `
51+ - ` 3 ` : ` sealed_key = TPM_Seal( key ) `
52+ - ` 4 ` : ` duplicate_key = TPM_Duplicate( EKPub, sealed_key ) `
5353
54- Decrypt (Alice):
54+ Decrypt (Alice):
5555
56- 5 . ` sealed_key = TPM_Import( duplicate_key ) `
57- 6 . ` key = TPM_Unseal( sealed_key ) `
58- 7 . ` plaintext = AEAD_Decrypt( key, ciphertext ) `
56+ - ` 4 ` : ` sealed_key = TPM_Import( duplicate_key ) `
57+ - ` 5 ` : ` key = TPM_Unseal( sealed_key ) `
58+ - ` 6 ` : ` plaintext = AEAD_Decrypt( key, ciphertext ) `
5959
6060---
6161
@@ -643,6 +643,7 @@ There are two levels of encryption involved with this library and is best descri
643643 w := wrapaead.NewWrapper ()
644644 err := w.SetAesGcmKeyBytes (key)
645645 cipherText , _ := w.Encrypt (ctx, plaintext, opt...)
646+ wrappedKey.keyFile = tpm2.Seal ( tpm2_object ( type =TPMAlgKeyedHash, secret=key ) )
646647 ```
647648
648649* ` ciphertext ` : the encrypted data wrapped using ` key ` which includes the initialization vector
@@ -660,7 +661,7 @@ There are two levels of encryption involved with this library and is best descri
660661
661662If you base64decode the ` wrappedKey `
662663
663- * ` keyfile ` is the PEM encoded private key which has sealed the ` key `
664+ * ` keyfile ` is the PEM encoded TPM object which has the ` key ` sealed inside it
664665
665666The keyfile is:
666667
@@ -679,7 +680,7 @@ The keyfile is:
6796801 . First load the ` keyfile ` and unseal:
680681
681682 ``` golang
682- key , err := tpm2.Unseal (keyfile )
683+ key , err := tpm2.Unseal (wrappedKey. keyFile )
683684 ```
684685
6856862 . Create new * direct* aead wrapper using ` wrapaead "github.com/hashicorp/go-kms-wrapping/v2/aead" ` and set ` key ` as the decryption key.
0 commit comments