1tpm2_encryptdecrypt(1) General Commands Manual tpm2_encryptdecrypt(1)
2
6 tpm2_encryptdecrypt(1) - performs symmetric encryption or decryption.
7
9 tpm2_encryptdecrypt [OPTIONS]
10
12 tpm2_encryptdecrypt(1) - performs symmetric encryption or decryption
13 with a specified symmetric key.
14
16 · -k, –key-handle=KEY_HANDLE: the symmetric key used for the operation
17 (encryption/decryption).
18 · -c, –key-context=KEY_CONTEXT_FILE: filename of the key context used
20 for the operation.
21 · -P, –pwdk=KEY_PASSWORD: filename of the key context used for the op‐
23 eration. The password for parent key, optional. Passwords should
24 follow the “password formatting standards, see section”Password For‐
25 matting“.
26 · -D, –decrypt: Perform a decrypt operation. Default is encryption.
28 · -I, –in-file=INPUT_FILE: Input file path containing data for decrypt
30 or encrypt operation.
31 · -S, –input-session-handle=SESSION_HANDLE: Optional Input session han‐
33 dle from a policy session for authorization.
34
36 This collection of options are common to many programs and provide in‐
37 formation that many users may expect.
38 · -h, –help: Display the tools manpage. This requires the manpages to
40 be installed or on MANPATH, See man(1) for more details.
41 · -v, –version: Display version information for this tool, supported
43 tctis and exit.
44 · -V, –verbose: Increase the information that the tool prints to the
46 console during its execution. When using this option the file and
47 line number are printed.
48 · -Q, –quiet: Silence normal tool output to stdout.
50 · -Z, –enable-errata: Enable the application of errata fixups. Useful
52 if an errata fixup needs to be applied to commands sent to the TPM.
53 # TCTI ENVIRONMENT
54 This collection of environment variables that may be used to configure
56 the various TCTI modules available.
57 The values passed through these variables can be overridden on a
59 per-command basis using the available command line options, see the TC‐
60 TI_OPTIONS section.
61 The variables respected depend on how the software was configured.
63 · TPM2TOOLS_TCTI_NAME: Select the TCTI used for communication with the
65 next component down the TSS stack. In most configurations this will
66 be the TPM but it could be a simulator or proxy. The current known
67 TCTIs are:
68 · tabrmd - The new resource manager, called tabrmd
70 (https://github.com/01org/tpm2-abrmd).
71 · socket - Typically used with the old resource manager, or talking
73 directly to a simulator.
74 · device - Used when talking directly to a TPM device file.
76 · TPM2TOOLS_DEVICE_FILE: When using the device TCTI, specify the TPM
78 device file. The default is “/dev/tpm0”.
79 Note: Using the tpm directly requires the users to ensure that con‐
81 current access does not occur and that they manage the tpm resources.
82 These tasks are usually managed by a resource manager. Linux 4.12
83 and greater supports an in kernel resource manager at “/dev/tpmrm”,
84 typically “/dev/tpmrm0”.
85 · TPM2TOOLS_SOCKET_ADDRESS: When using the socket TCTI, specify the do‐
87 main name or IP address used. The default is 127.0.0.1.
88 · TPM2TOOLS_SOCKET_PORT: When using the socket TCTI, specify the port
90 number used. The default is 2321.
91
93 This collection of options are used to configure the varous TCTI mod‐
94 ules available. They override any environment variables.
95 · -T, –tcti=TCTI_NAME[:TCTI_OPTIONS]: Select the TCTI used for communi‐
97 cation with the next component down the TSS stack. In most configu‐
98 rations this will be the resource manager: tabrmd
99 (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific op‐
100 tions can appended to TCTI_NAME by appending a : to TCTI_NAME.
101 · For the device TCTI, the TPM device file for use by the device TCTI
103 can be specified. The default is /dev/tpm0. Example: -T de‐
104 vice:/dev/tpm0
105 · For the socket TCTI, the domain name or IP address and port number
107 used by the socket can be specified. The default are 127.0.0.1 and
108 2321. Example: -T socket:127.0.0.1:2321
109 · For the abrmd TCTI, it takes no options. Example: -T abrmd
111
113 Passwords are interpreted in two forms, string and hex-string. A
114 string password is not interpreted, and is directly used for authoriza‐
115 tion. A hex-string, is converted from a hexidecimal form into a byte
116 array form, thus allowing passwords with non-printable and/or terminal
117 un-friendly characters.
118 By default passwords are assumed to be in the string form. Password
120 form is specified with special prefix values, they are:
121 · str: - Used to indicate it is a raw string. Useful for escaping a
123 password that starts with the “hex:” prefix.
124 · hex: - Used when specifying a password in hex string format.
126
128 tpm2_encryptdecrypt -k 0x81010001 -P abc123 -D NO -I <filePath> -o <filePath>
129 tpm2_encryptdecrypt -c key.context -P abc123 -D NO -I <filePath> -o <filePath>
130 tpm2_encryptdecrypt -k 0x81010001 -P 123abca -X -D NO -I <filePath> -o <filePath>
131
133 0 on success or 1 on failure.
134
136 Github Issues (https://github.com/01org/tpm2-tools/issues)
137
139 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
140tpm2-tools SEPTEMBER 2017 tpm2_encryptdecrypt(1)