1tpm2tss-genkey(1) General Commands Manual tpm2tss-genkey(1)
2
6 tpm2tss-genkey(1) – generate TPM keys for tpm2-tss-engine
7
9 tpm2tss-genkey [options] <filename>
10
12 tpm2tss-genkey creates a key inside a TPM 2.0 connected via the tpm2tss
13 software stack. Those keys may be an RSA key for decryption or signing
14 or an ECC key for ECDSA signatures.
15 The tool respects the OPENSSL_CONF option for specifying engine specif‐
17 ic control parameters. See man(5) config for details on openssl config
18 files.
19
21 The tpm2tss-genkey command expects a filename for storing the resulting
22 TPM key information. This file can then be loaded with OpenSSL using
23 openssl pkeyutl -engine tpm2tss -keyform engine -inkey <filename>.
24
26 • -a <algorithm>, --alg <algorithm>: The public key algorithm (rsa,
27 ecdsa) (default: rsa)
28 • -c <curve>, --curve <curve>: If alg ecdsa is chosen, the curve for
30 ecc (default: nist_p256)
31 • -u <file>, --public <file>: Public key (TPM2B_PUBLIC) to be imported.
33 Requires -r.
34 • -r <file>, --private <file>: The (encrypted) private key (TPM2B_PRI‐
36 VATE) to be imported. Requires -u.
37 • -e <exponent>, --exponent <exponent>: If alg rsa is chosen, the expo‐
39 nent for rsa (default: 65537)
40 • -h, --help: Print help
42 • -o <password>, --ownerpw <password>: Password for the owner hierarchy
44 (default: none) Openssl Config control command: SET_OWNERAUTH
45 • -p <password>, --password <password>: Password for the created key
47 (default: none)
48 • -P <handle>, --parent <handle>: Specific handle for the parent key
50 (default: none)
51 • -s <keysize>, --keysize <keysize>: If alg rsa is chosen, the key size
53 in bits (default: 2048)
54 • -v, --verbose: Print verbose messages
56 • -W <password>, --parentpw <password>: Password for the parent key
58 (default: none) Openssl Config control command: SET_PARENTAUTH
59 • -t <tcti-conf>, --tcti <tcti-conf>: TCTI Configuration string (de‐
61 fault: none) Openssl Config control command: SET_TCTI
62
64 Engine information can be retrieved using:
65 $ openssl engine -t -c tpm2tss
67 The following sequence of commands creates an RSA key using the TPM,
69 exports the public key, encrypts a data file and decrypts it using the
70 TPM:
71 $ tpm2tss-genkey -a rsa -s 2048 mykey
73 $ openssl rsa -engine tpm2tss -inform engine -in mykey -pubout -outform pem -out mykey.pub
74 $ openssl pkeyutl -pubin -inkey mykey.pub -in mydata -encrypt -out mycipher
75 $ openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -decrypt -in mycipher -out mydata
76 The following sequence of commands creates an RSA key using the TPM,
78 exports the public key, signs a data file using the TPM and validates
79 the signature:
80 $ tpm2tss-genkey -a rsa -s 2048 mykey
82 $ openssl rsa -engine tpm2tss -inform engine -in mykey -pubout -outform pem -out mykey.pub
83 $ openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -sign -in mydata -out mysig
84 $ openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -verify -in mydata -sigfile mysig
85 The following sequence of commands creates an ECDSA key using the TPM,
87 exports the public key, signs a data file using the TPM and validates
88 the signature:
89 $ tpm2tss-genkey -a ecdsa -c nist_p256 mykey
91 $ openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -sign -in mydata -out mysig
92 $ openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -verify -in mydata -sigfile mysig
93
95 0 on success or 1 on failure.
96 AUTHOR
98 Written by Andreas Fuchs.
99 COPYRIGHT
101 tpm2tss is Copyright (C) 2017-2018 Fraunhofer SIT sponsored by Infineon
102 Technologies AG. License BSD 3-clause.
103 SEE ALSO
105 openssl(1)
106tpm2-tss-engine OCTOBER 2020 tpm2tss-genkey(1)