TPM 2.0 keyslots
Bind a vault to the local machine's TPM. Optional PIN, fused TPM + FIDO2, hybrid TPM + post-quantum.
A TPM 2.0 keyslot binds the vault to the specific TPM chip in the machine where you enroll it. The chip seals the wrap-KEK against its own endorsement seed; the seed never leaves the chip and is re-derived deterministically on every operation. The vault opens on that machine; it does not open on any other machine, even with the same passphrase or FIDO2 device.
Today TPM 2.0 keyslots are Linux only. Windows TBS support is
tracked behind a tss-esapi 8.0 migration; macOS does not expose a
TPM, use a Secure Enclave keyslot there instead (since
v0.4.0). The same .lbx file remains portable everywhere, only the
TPM slot is OS-specific.
When to use a TPM slot
| You want | Use |
|---|---|
| Unlock without a hardware key on the daily-use machine | TPM (no PIN) + a passphrase backup |
| Hardware-bound + something the user knows | TPM + PIN |
| Two-factor "must have YubiKey AND must be on this machine" | Fused TPM + FIDO2 (single slot, both required) |
| Post-quantum on top of TPM binding | Hybrid TPM + ML-KEM-768 / 1024 |
| All of the above | Hybrid TPM + FIDO2 + ML-KEM-768 / 1024 |
Always pair a TPM slot with a backup slot. A TPM keyslot becomes permanently unrecoverable if:
- The chip is replaced (motherboard swap, device wipe at firmware level).
- You move the vault to another machine.
- The TPM is cleared by firmware reset.
The CLI / GUI / wizard all surface a warning before creating a TPM-only vault.
Variants
| Slot kind | Inputs at unlock | Notes |
|---|---|---|
Tpm2Sealed |
TPM only | Plain TPM seal; no PIN. Binds to chip + boot policy (no PCR sealing yet). |
Tpm2SealedPin |
TPM + PIN | TPM userAuth is the PIN. Wrong PINs count toward the chip's dictionary-attack lockout (typically about 32 attempts then a multi-hour cooldown), so even short PINs are practical. |
Tpm2Fido2 |
TPM + FIDO2 hmac-secret (fused) | Single slot, both factors required; HKDF mixes TPM-unsealed value with FIDO2 hmac-secret. |
HybridPqKemTpm2 |
TPM + ML-KEM-768 decap | Hybrid PQ on top of TPM binding. |
HybridPqKem1024Tpm2 |
TPM + ML-KEM-1024 decap | Same with category-5 KEM. |
HybridPqKemTpm2Fido2 |
TPM + FIDO2 + ML-KEM-768 decap | Three-factor + PQ. |
HybridPqKem1024Tpm2Fido2 |
TPM + FIDO2 + ML-KEM-1024 decap | Strongest TPM-bound option. |
Linux: TPM access without root
Unprivileged users need read/write access to /dev/tpmrm0 (the
in-kernel resource manager). Three things have to be true:
- The
tsssystem group exists. /dev/tpm0//dev/tpmrm0are ownedroot:tsswith mode0660(this is what the udev rule does).- Your user is a member of the
tssgroup.
The .deb (since v0.2.0) Recommends tpm-udev which provides
(1) + (2). The .rpm Recommends tpm2-tss which does the
equivalent on Fedora / RHEL / openSUSE. Installing via apt /
dnf gets both for you by default. You then only have to do (3)
yourself, Debian / Fedora convention forbids silent privileged-
group additions in package scripts:
sudo usermod -aG tss "$USER"
# Log out and back in (or `newgrp tss`) for the new group to take
# effect in your shell session.
id | tr , '\n' | grep tss # confirm
ls -l /dev/tpmrm0 # expected: crw-rw---- 1 root tss ...
If you installed via the tarball, or passed
--no-install-recommends / --setopt=install_weak_deps=False,
neither the group nor the udev rule exists. Use the bundled
installer:
./install.sh --tpm-setup # creates the group + udev rule + adds you
Or do it by hand:
sudo groupadd --system tss
sudo usermod -aG tss "$USER"
sudo tee /etc/udev/rules.d/60-tpm.rules > /dev/null <<'EOF'
KERNEL=="tpm[0-9]*", MODE="0660", GROUP="tss"
KERNEL=="tpmrm[0-9]*", MODE="0660", GROUP="tss"
EOF
sudo udevadm control --reload-rules
sudo udevadm trigger
# Log out + back in.
Verify:
tpm2_getrandom --hex 8 # if you have tpm2-tools installed
luksbox info my.lbx # should not error on TPM slots
The full playbook with troubleshooting is in
docs/TPM_LINUX_PERMISSIONS.md.
CLI, create a TPM-bound vault
# Plain TPM (no PIN)
luksbox create my.lbx --kind tpm2
# TPM + PIN
luksbox create my.lbx --kind tpm2-pin
# Fused TPM + FIDO2 (both required to unlock)
luksbox create my.lbx --kind tpm2-fido2
# Hybrid TPM + ML-KEM-768
luksbox create my.lbx --kind hybrid-pq-tpm2 \
--pq-hybrid /media/usb/my.kyber
# Strongest: hybrid TPM + FIDO2 + ML-KEM-1024
luksbox create my.lbx --kind hybrid-pq-tpm2-fido21024 \
--pq-hybrid /media/usb/my.kyber
After create, the wizard / GUI offer to add a backup keyslot. The CLI emits the same warning and asks you to confirm. To enroll a backup later:
luksbox enroll my.lbx --kind passphrase
TUI / GUI
The interactive wizard and the GUI create flow both expose every TPM variant through the same factor-then-variant picker. The GUI's recent-vaults list shows a TPM-binding badge so you know which vaults are machine-bound before you try to open them on a different host.