age-tpm-plugin v1.0.1

Bugfix release

• Fixed a bug where one recipient without a match would abort early
• Implemented a version flag

Generated changelog

What's Changed

• Fix decryption with multiple recipients by @supermarin in #42
• implement version flag by @supermarin in #41

New Contributors

• @supermarin made their first contribution in #42

Full Changelog: v1.0.0...v1.0.1

age-tpm-plugin v1.0.0

This marks the first stable release of age-plugin-tpm.

Couple of reasons for this

• The plugin framework in age upstream means we no longer rely on a home brewed parser.
• The encryption scheme from age for this plugin is standardized (more below).
• People rely on this tool for important things, so cementing this with a stable release seems appropriate.

New Features

p256tag is now the recipient type

The previous encryption scheme in this plugin was a scavenged bits of encryption
code from the main age project with sprinkled bits of TPM.

With the v1.3.0 release of age we have a standardized p256tag recipient
type that is based on a bit more modern encryption scheme. Still backed by a TPM
for key storage.

The specification can be found with the C2SP project.

age-plugin-tpm will now by default create the new tag recipients. The
internal encryption scheme tpm-ecc is now replaced with the standardized
p256tag scheme, and users of tpm recipients should migrate to newer
tag recipients. This can be done by piping your identity through a newer
version of the plugin with age-plugin-tpm -y.

age-plugin-tpm will continue to act on older recipient types, but encrypt with
the newer encryption scheme. When we encounter files encrypted with the old
scheme, or we see old recipient files, we will issue a warning that they should
be updated.

Support for persistent Storage Root Keys (SRK)

Previous versions of age-plugin-tpm would fail to operate on TPMs where access
has been locked down due to a owner password being set. With this release
age-plugin-tpm will probe the TPM for a persistent SRK to derive a key from
instead of making an ephemeral one.

This is not a security issue, so there is no need to re-create new identities.
This is mostly just a feature/convenience thing.

The internal version on the key has been bumped.

Thanks to @Popax21

Pinentry support has been remove

Pinentry depends on gnupg things. Gnupg is bad. We don't do gnupg around these parts.

We now request PIN through age.

Bug fixes

There has been no bug fixes this release. Amazing.

Generated changelog

What's Changed

• plugin/tpm: support persisted shared SRKs by @Popax21 in #32
• plugin: support p256tag by @Foxboron in #34

New Contributors

• @Popax21 made their first contribution in #32

Full Changelog: v0.3.0...v1.0.0-rc1

WIP release. Do not package.

What's Changed

• plugin/tpm: support persisted shared SRKs by @Popax21 in #32
• plugin: support p256tag by @Foxboron in #34

New Contributors

• @Popax21 made their first contribution in #32

Full Changelog: v0.3.0...v1.0.0-rc1

What's Changed

• Correct go install example by @quite in #23
• Use new experimental upstream framework by @FiloSottile in #24
• Update README to fix bad paths and input/output by @dcousens in #25
• ci: fix by @Enzime in #27

New Contributors

• @quite made their first contribution in #23
• @FiloSottile made their first contribution in #24
• @dcousens made their first contribution in #25
• @Enzime made their first contribution in #27

Full Changelog: v0.2.0...v0.3.0

What's Changed

• main_test: Use regexps to parse output from Run* functions by @stigtsp in #14
• go: updated dependencies by @Foxboron in #15
• age-plugin-tpm: add optional support for pinentry by @Foxboron in #13
• Rename AGE_PLUGIN_TMP_SWTPM to AGE_TPM_SWTPM by @CosmicPegasis in #18

New Contributors

• @stigtsp made their first contribution in #14
• @CosmicPegasis made their first contribution in #18

Full Changelog: v0.1.0...v0.2.0

This release features a rewrite of the TPM backend and identity format.

Changes

• Moved from the legacy tpm2 library from go-tpm to the new tpmdirect API.
• Keys are now sealed outside of the TPM, identities are also rewritten to support this.
• PIN support for keys.
• TPM session encryption is used to protect the ECDH shared secret and the PIN.
• Support for multiple recipients.

Changelog

What's Changed

• Rewrite to use the new tpmdirect API from go-tpm by @Foxboron in #9
• Try add a ci setup by @Foxboron in #10
• Pin improvements by @Foxboron in #11

New Contributors

• @Foxboron made their first contribution in #9

Full Changelog: v0.0.1...v0.1.0

Initial release!

Experimental

Everything is subject to change. Don't use for anything important :)