0

What happens when I unseal a sealed piece of data in TPM? Does the sealed data still exist?

For example, I have a handle to sealed data hSealedData, and I do TPM_Unseal(hSealedData,...) twice in a row. Will both calls return the same unsealed data?

I couldn't find documentation about this.

user1595304
  • 5
  • 1

1 Answers1

0

What happens is that the current PCR values will be compared to the PCR values recorded at the time of sealing and, if they match, the object will be decrypted and sent back. Nothing will happen to the sealed data as the sealed data is not stored in the TPM, it is returned to the user at the time of sealing.

mnistic
  • 10,866
  • 2
  • 19
  • 33
  • And if I seal the same sealed data with other PCR values, will the first seal be overridden, or would both seals be valid? – user1595304 Jun 11 '18 at 10:37
  • They would both be valid. The TPM does not keep a record of what's been sealed (the sealed data is returned to you) so it's not like it could somehow invalidate the previous seal. – mnistic Jun 11 '18 at 14:04
  • Thanks. If I want to "override" a previous seal then, how would I be able to do that? Will I have to clear/reset the TPM? – user1595304 Jun 11 '18 at 19:05
  • When you seal some data, the TPM returns the encrypted data to you to do as you please. If you wanted to "override" it, you would simply delete that encrypted data and seal the original data again, with the new PCR values. Management of the encrypted data is up to you and the TPM has nothing to do with it. – mnistic Jun 11 '18 at 20:57