Roadmap
Here is the roadmap of upcoming features.
Web Browser PowerPass
Currently under development is a port of PowerPass into TypeScript for use with a web browser as a fully client-side password manager that can be hosted anywhere and uses local storage for your Locker.
| As of June 5, 2024 | Status |
|---|---|
| Core Functions | In Progress |
| Serialization | Not Started |
| Key Generation | Not Started |
| Encryption | Not Started |
| Descryption | Not Started |
| User Interface | Not Started |
| Unit Testing | Not Started |
Encryption for the Web Browser Edition
The browser edition of PowerPass will use the same 256-bit AES encryption as the PowerShell editions. A cryptography API has yet to be chosen, but it will likely be the Web Crypto API or CryptoJS which has since been discontinued, so it is likely the native Web Crypto API will be used.
TPM Support on Linux
Currently under development is TPM support for Linux.
| As of May 12, 2024 | Status |
|---|---|
| Initialize Context | Complete |
| Get Info | Complete |
| Create Key | Complete |
| Encrypt Locker | Proofed |
| Decrypt Locker | Pending |
| Unit Testing | Available |
The library chosen to provide support is the open-source tpm2-tss project. A TPM is a Trusted Platform Module which is a device that stores private keys which cannot be exported from the system by any user. The TPM device can be used to encrypt data without exposing the private keys to either admins or users. As such, an attacker with root privileges would have no means of acquiring the key to decrypt the data leaving brute-force as the only option. Check the /tpm folder in this repo for ongoing updates.
Can I use PowerPass TPM Edition?
If you are using Linux, the answer is (almost certainly) Yes. You will first need to compile the tpm2-tss source and deploy the binaries for your Linux distro. The tpm2-tss project has an install guide here. This project supports all major Linux distros including Debian, Fedora, and Ubuntu.
Installing tpm2-tss via PowerPass
The PowerPass repo includes make recipes for tpm2-tss on Ubuntu which have been tested on Ubuntu 22 and Ubuntu 24.
These recipes require git and will pull down tpm2-tss from Git and run the required shell commands to build tpm2-tss.
If you are using Ubuntu, you can install tpm2-tss using make from the powerpass/tpm directory using the following shell commands:
1. sudo make depends
user@server:~/powerpass/tpm$ sudo make depends
From the tpm directory of the PowerPass repo, run sudo make depends. Running sudo make depends will install all dependencies for both tpm2-tss and tpm2-tools to your environment.
2. make tpm2-tss
user@server:~/powerpass/tpm$ make tpm2-tss
Also from the tpm directory of the PowerPass repo, run make tpm2-tss. Running make tpm2-tss will use Git to clone the latest tpm2-tss version into the current directory, bootstrap, configure, and compile the libraries.
3. sudo make install
user@server:~/powerpass/tpm/tpm2-tss$ sudo make install
Next, you need to run sudo make install from the tpm2-tss subdirectory to install tpm2-tss to your environment.
4. sudo make post
user@server:~/powerpass/tpm$ sudo make post
Now, back in the tpm subdirectory of the PowerPass repo, run sudo make post which will reload your udev rules and run ldconfig per the instructions from the tpm2-tss INSTALL file.
The Feature API will not work if you do not perform this step.
5. sudo usermod -a -G tss user
user@server:~/powerpass/tpm$ sudo usermod -a -G tss [user]
Finally, you need to add your user account to the tss group.
This allows your user account to write into the profiles directory created by tpm2-tss during sudo make install.
For this to take effect, you will need to log off and log back in again before you proceed.
Compiling
Once you have tpm2-tss fully setup and ready to go, you can compile the PowerPass TPM module.
The PowerPass TPM edition module is called powerpasstpm.
The module is written in C and is compiled using the GNU Compiler Collection or gcc.
- To compile
powerpasstpmsimply runmakefrom the/powerpass/tpmdirectory - To clean up and recompile
powerpasstpmrunmake cleanthenmakeagain
NOTE: The makefile in the /tpm directory assumes your tpm2-tss libraries are in /usr/local/lib.
If they are elsewhere, you will have to edit the makefile for now at least until I make it dynamic.
Testing Your TPM
Now that everything is setup, you can test for TPM support by running Test-TpmProvider.ps1 from the /tpm directory in this repo.
This PowerShell script will compile the powerpasstpm binary using gcc via the included makefile if you have not already done so.
It will run ./powerpasstpm in test mode and fetch the TPM info from the tpm2-tss Feature API.
Lastly, it will echo the object properties received from the TPM using Get-Member.
The tpm2-tss library returns JSON for the TPM info.
You can take the output of ./powerpasstpm test and pipe it to ConvertFrom-Json to get an object and inspect it with PowerShell.
Testing
You can test powerpasstpm with the included Test-TpmProvider.ps1 PowerShell script or you can just run powerpasstpm from the shell.
| Test commands | ||
|---|---|---|
| ./powerpasstpm test | Runs in test mode | Outputs TPM info in JSON format to the console |
| ./powerpasstpm test > info.json | Runs in test mode | Saves TPM info to JSON file for review |
The test action for powerpasstpm invokes the Fapi_GetInfo function of the TCG TPM2 Feature API which echoes all the TPM capabilities of your system in JSON format.
Initialization
You can initialize PowerPass TPM edition by running:
$ ./powerpasstpm init
When you run the init command, the PowerPass TPM module will attempt to provision the Feature API for the TSS2 TPM library and create an encryption key in the TPM for the PowerPass Locker.
This will be handled automatically for you in the future from the deploy script, but for now you can run this from the shell.
Encrypting
You can test encryption using the PowerPass Locker key by running:
$ ./powerpasstpm enc
When you run the enc command, the PowerPass TPM module will attempt to encrypt a block of random data using the Locker key created during the init routine.
If successful, you will see the plain-text data and the encrypted data echoed to the terminal.