How to use TPM for secure zero-touch device on-boarding

Pantacor Hub implements a TPM (Trusted Platform Module) to secure and onboard new devices and keep connected devices secure. The secure workflow described in this post enables devices to authenticate with TPM backed TLS that issues a certificate valid for your computer only.

TPM is a type of hardware security module. TPMs use what’s called an endorsement key or EK as the root of trust. Each EK is unique to the TPM.  Like most authentication key systems, TPM works using public and private key pairs. Pantacor Hub is the device provisioning system and it uses the EK_private key along with an Attestation Identity Certificate Key (AIK) to authenticate the device. 

TPM Attestation overview

The authentication process begins with a device registering with the Attestation Certificate Authority (ACA). An IAK certificate is obtained from the Attestation Identity Certificate (AIK) device registry on Pantacor Hub. It also receives an IDevID from the Pantacor Hub Certificate Authority. The IDevID certificate is used with the public key by TPM to create a secure TLS connection with the Pantacor Hub API. This type of secure workflow is called remote TPM Attestation and it has been implemented by companies such as Microsoft, see the Azure TPM attestation documentation for more information.

How TPM Attestation works in Pantacor Hub

The TPM remote Attestation authentication authentication flow uses the Endorsement Key Certificate (EK) and the Attestation Identity Key Certificate (AIK) as a key certificate pair.

The AIK certificate is validated and signed by the Attestation Certificate Authority (ACA) server using the EK certificate, the EK key, and AK public key (another key created from the TPM).


Using that combination we create a new certificate request called the IDevID to identify the device. This certificate is signed with a private key saved on the TPM, and this key has the certification data loaded onto the TPM (documentation about the tpm_certificate).

Next, the ACA takes this information and then validates the IDevID as something loaded into a real TPM (since IAK validates the TPM via the EK certificate) and continues to validate the ownership of the device against the user on Pantacor Hub. We can therefore use any communication with the IDevID as a legitimate authorization method for the device. 

How to use TPM keys with Pantacor Hub

To implement this feature, you will need to build your image with Pantavisor to include specific parameters that add the ownership data that will be embedded in the IDevID certificate.

For example with the following parameters in your build file: 

PV_AUTOTOK_FILE=~/device_autojointoken.json \
./ x64-uefi-installer

This builds the image with the initial ownership data that starts the TPM process. After this, you can start your x64 machine and begin the installation process. After you’ve done this, the next steps are very straightforward.

See also, “How Pantavisor and Pantacor Hub Work Together” 

Install Pantavisor x64 UEFI

Select the Pantavisor installer (auto), to install it to the main hard drive of your machine. Do not select the (auto TPM) if it is not referred to in the TPM-ACA workflow. Those options are for the encrypted disk functionality only.


To change the target device from where you want to install Pantavisor, enter manual mode and then run `pvf-install` and follow the instructions to select the correct device.

After that, the device will begin the process and reset a couple of times until you can see it in your Pantacor Hub device list.


Now everything will be set up so that you can use your device just like any other Pantacor Hub device.

Here’s also a video that steps through the entire process:

Final Thoughts

Check out the Community Forum and website for Pantavisor Linux at You’ll find additional tutorials as well as an introduction to Pantabox our front-end for managing Pantavisor Linux.

Happy trails.