feat: TPM challenge-response provider

[coreyleavitt]

Summary

Add TPM (Trusted Platform Module) support as a challenge-response provider, enabling hardware-bound database protection using the TPM chip built into most modern computers.

Background

TPM provides hardware-backed key storage where key material never leaves the chip. This is different from Windows Hello (which KeePassXC supports) - Windows Hello stores encrypted credentials that get decrypted, while true TPM challenge-response keeps the key sealed in hardware.

Proposed Implementation

from kdbxtool import TpmHmac

# Create provider using TPM-sealed key
provider = TpmHmac(key_handle=0x81000001)  # Persistent handle

# Use with database
db = Database.open("vault.kdbx", password="secret", challenge_response_provider=provider)

Platform Support

Platform	Library	Notes
Windows	tpm2-pytss or Windows TSS	TPM 2.0
Linux	tpm2-pytss	TPM 2.0
macOS	Security framework	Secure Enclave (similar concept)

Key Operations

1. Key Creation: Generate HMAC key sealed in TPM
2. Challenge-Response: Send challenge, TPM computes HMAC internally
3. Key Persistence: Store in TPM's persistent storage (survives reboots)

Trade-offs

Pros:

• Key material never extractable, even if OS compromised
• True hardware-bound 2FA
• Built into most modern laptops/desktops (no extra hardware)
• Can be combined with TPM PCR policies (boot state binding)

Cons:

• Machine-bound - database can only be opened on that specific computer
• If TPM fails/resets, access is lost (requires backup credential)
• Cross-platform API differences

Tasks

• Research tpm2-pytss library API
• Design key provisioning workflow
• Implement TpmHmac provider class
• Add platform detection and appropriate backend
• Consider Secure Enclave support for macOS
• Add tests with TPM simulator
• Documentation for key setup

Related

• feat: challenge-response providers with KEK multi-device support #75 - Challenge-response provider abstraction (prerequisite)