Implement device identity attestation using TPM

[Hermholtz]

Now that every contemporary computer contains TPM 2.0, DefGard could use it for proving device identity. Only enrolled devices would be able to establish a VPN connection. Every connection would use its own "wrapped key" in TPM.
This would be an additional step during enrollment of a client on a server - if the server administrator chooses to.

This is unbreakable, a remote attacker is unable to steal the key and use it on another device. The wrapped key itself is stored on a disk, not in the limited space of the TPM chip. It's encrypted by TPM using the master Storage Root Key. The Storage Root Key never leaves TPM.

This doesn't invalidate the need for a strong second factor, so that the attacker is unable to activate/deactivate the connection on their whim.

That would be a game changer for DefGuard's security.