{"id":21354884,"url":"https://github.com/salrashid123/gcs_tpm","last_synced_at":"2026-02-27T18:36:31.413Z","repository":{"id":91309982,"uuid":"391954851","full_name":"salrashid123/gcs_tpm","owner":"salrashid123","description":"GCS signedURLs and GCP Authentication with Trusted Platform Module","archived":false,"fork":false,"pushed_at":"2024-06-24T12:16:46.000Z","size":330,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-02-21T13:31:53.771Z","etag":null,"topics":["golang","google-cloud-platform","google-cloud-storage","trusted-platform-module"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/salrashid123.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-08-02T13:13:39.000Z","updated_at":"2024-06-24T12:16:50.000Z","dependencies_parsed_at":null,"dependency_job_id":"8e3ebfa7-97a2-4cac-9a9e-27214d3882aa","html_url":"https://github.com/salrashid123/gcs_tpm","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/salrashid123/gcs_tpm","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fgcs_tpm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fgcs_tpm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fgcs_tpm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fgcs_tpm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/salrashid123","download_url":"https://codeload.github.com/salrashid123/gcs_tpm/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fgcs_tpm/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29907938,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-27T17:28:36.873Z","status":"ssl_error","status_checked_at":"2026-02-27T17:28:20.970Z","response_time":57,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang","google-cloud-platform","google-cloud-storage","trusted-platform-module"],"created_at":"2024-11-22T04:14:48.611Z","updated_at":"2026-02-27T18:36:31.382Z","avatar_url":"https://github.com/salrashid123.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# GCS signedURLs  with Trusted Platform Module\n\nSamples in golang that enables the following where the private key or hmac secret is embedded with a TPM (Trusted Platform Module)\n\n1. HMAC SignedURLs:  \n   - Import a GCS HMAC secret and use it to generate a SignedURL.\n     See [GCS HMAC Signed URL](https://blog.salrashid.dev/articles/2018/gcs_hmac/)\n2. RSA SignedURL: \n   - Generate a service account json file\n   - Import that key into ta TPM\n   - Generate SignedURL using TPM\n   - Access GCS Object\n\n---\n\n\u003e\u003e this repository is not supported by Google\n\n\n## Setup\n\nCreate GCS Bucket, object and Service Account and HMAC key to test with\n\n```bash\nexport PROJECT_ID=`gcloud config get-value core/project`\nexport PROJECT_NUMBER=`gcloud projects describe $PROJECT_ID --format='value(projectNumber)'`\n\n# create a gcs bucket and object\ngcloud storage buckets create gs://$PROJECT_ID-bucket\necho -n \"some text\" \u003e somefile.txt\ngcloud storage cp somefile.txt gs://$PROJECT_ID-bucket\n\n# create a service account that has access to a bucket\ngcloud iam service-accounts create tpm-svc-account --project $PROJECT_ID\ngcloud iam service-accounts keys list --iam-account tpm-svc-account@$PROJECT_ID.iam.gserviceaccount.com\n\n# allow the service account access to the bucket\ngcloud storage buckets add-iam-policy-binding  gs://$PROJECT_ID-bucket --member=\"serviceAccount:tpm-svc-account@$PROJECT_ID.iam.gserviceaccount.com\" --role=\"roles/storage.objectViewer\"\n\n# remember the hmac key and secret\ngcloud storage hmac create tpm-svc-account@$PROJECT_ID.iam.gserviceaccount.com \n\taccessId: GOOG1EV3Z4JLVW3XLMDX52PGIWFXAW7IM5VXDP-redacted\n\tsecret: WE8gT3r3PlSSgaQGs5-redacted\n```\n\nYou can use a system with a real tpm but if all you just want to test with a software tpm (`swtpm`):\n\n```bash\nrm -rf /tmp/myvtpm \u0026\u0026 mkdir /tmp/myvtpm  \u0026\u0026 sudo swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --server type=tcp,port=2321 --ctrl type=tcp,port=2322 --flags not-need-init,startup-clear\n```\n\nthen install [tpm2_tools](https://tpm2-tools.readthedocs.io/en/latest/INSTALL/)\n\n```bash\n$ export TPM2TOOLS_TCTI=\"swtpm:port=2321\"\n$ tpm2_pcrread sha256:0,23\n```\n\n### HMAC\n\nEmbed the HMAC key into the TPM.  You can use golang but here we're using `tpm2_tools`.\n\nWe are going to import the hmac key using this procedure: [hmac_import](https://github.com/salrashid123/tpm2/tree/master/hmac_import)\n\n```bash\nexport HMAC_SECRET=\"WE8gT3r3PlSSgaQGs5-redacted\"\necho -n $HMAC_SECRET \u003e hmac.key\nhexkey=$(xxd -p -c 256 \u003c hmac.key)\necho $hexkey\n\ntpm2_createprimary -C o -G ecc  -g sha256  -c primary.ctx -a \"fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|decrypt\"\n\n## note we're using sha1 for the actual hmac part\ntpm2_import -C primary.ctx -G hmac:sha1 -g sha256 -i hmac.key -u hmac.pub -r hmac.priv\ntpm2_flushcontext -t\ntpm2 load -C primary.ctx -u hmac.pub -r hmac.priv -c hmac.ctx\n\n# evict it to handle 0x81008001\ntpm2_evictcontrol -C o -c hmac.ctx 0x81008001 \ntpm2_flushcontext -t\n```\n\nAt this point the hmac key is embedded into the TPM and you can also set TPM Policies that govern how to access the key (eg, passwordPolicy, PCR Policy, etc)\n\nto run,\n\n```bash\n## if using the swtpm:\ngo run hmac/main.go --tpm-path=\"127.0.0.1:2321\" \\\n   --persistentHandle=0x81008001 \\\n   --hmacKey=\"GOOG1EV3Z4JLVW3XLMDX52PGIWFXAW7IM5VXDPB2NB2MAVJX5PYCGPHKZEVJ6\" \\\n   --bucketName=$PROJECT_ID-bucket --objectName=somefile.txt\n```\n\n![images/hmac.png](images/hmac.png)\n\n### Service Account RSA\n\nTo create a TPM-embedded signed url, you first need to associate a TPM object with a service account key.\n\nThere are several ways to do that described [Usage TpmTokenSource](https://github.com/salrashid123/oauth2#usage-tpmtokensource)\n\nbut for simplicity, we're just going to do a variation of option (A)\n\n```bash\n## first extract the key for import\ngcloud iam service-accounts keys create tpm-svc-account.json --iam-account=tpm-svc-account@$PROJECT_ID.iam.gserviceaccount.com\ncat tpm-svc-account.json | jq -r '.private_key' \u003e /tmp/f.json\nopenssl rsa -in /tmp/f.json -out /tmp/key_rsa.pem \n\ntpm2_createprimary -C o -G ecc  -g sha256  -c primary.ctx -a \"fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|decrypt\"\n\n# import\ntpm2_import -C primary.ctx -G rsa2048:rsassa:null -g sha256 -i /tmp/key_rsa.pem -u key.pub -r key.prv\ntpm2_flushcontext  -t\ntpm2_load -C primary.ctx -u key.pub -r key.prv -c key.ctx \ntpm2_flushcontext  -t\n\n# evict it to handle 0x81008002\ntpm2_evictcontrol -C o -c key.ctx 0x81008002 \ntpm2_flushcontext -t\n```\n\nNow run:\n\n```bash\n## if using the swtpm:\ngo run svcaccount/main.go --tpm-path=\"127.0.0.1:2321\" \\\n   --persistentHandle=0x81008002 \\\n   --serviceAccountEmail=\"tpm-sa@$PROJECT_ID.iam.gserviceaccount.com\" \\\n   --bucketName=$PROJECT_ID-bucket --objectName=somefile.txt\n```\n\nwith SignedURL\n![images/signed.png](images/signed.png)\n\n---\n\n\n## References\n\n- [AWS v4 Signer for embedding Access Secrets to PKCS11 and TPMs](https://github.com/salrashid123/aws_hmac)\n\n- [TPM TokenSource for GoogleCloud](https://github.com/salrashid123/oauth2#usage-tpmtokensource)\n  golang `TokenSource` which derives GCP Oauth2 and JWTAccessTokens from a TPM for use with GCP Client libraries\n- [TPM AccessTokens using Openssl TPM library](https://github.com/salrashid123/tpm2_evp_sign_decrypt)\n  Create oauth2 and jwtaccess tokens using TPM support with openssl\n- [TPM based golang crypto.Signer](https://github.com/salrashid123/signer)\n- [Importing an external RSA key](https://github.com/salrashid123/tpm2/tree/master/tpm_import_external_rsa)\n\n- [Signed URLs Options](https://cloud.google.com/storage/docs/access-control/signed-urls#types)\n- [GCS HMAC Keys](https://cloud.google.com/storage/docs/authentication/hmackeys)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalrashid123%2Fgcs_tpm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsalrashid123%2Fgcs_tpm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalrashid123%2Fgcs_tpm/lists"}