1tpm2_encryptdecrypt(1)      General Commands Manual     tpm2_encryptdecrypt(1)
2
3
4

NAME

6       tpm2_encryptdecrypt(1) - Performs symmetric encryption or decryption.
7

SYNOPSIS

9       tpm2_encryptdecrypt [OPTIONS] [ARGUMENT]
10

DESCRIPTION

12       tpm2_encryptdecrypt(1)  -  Performs  symmetric encryption or decryption
13       with a specified symmetric key on the contents of FILE.  If FILE is not
14       specified, defaults to stdin.
15

OPTIONS

17       · -c, --key-context=OBJECT:
18
19         The encryption key object.
20
21       · -p, --auth=AUTH:
22
23         The authorization value for the encryption key object.
24
25       · -d, --decrypt:
26
27         Perform a decrypt operation.  Defaults to encryption when this option
28         is not specified.
29
30       · -e, --pad:
31
32         Enable pkcs7 padding for applicable AES encryption modes cfb/cbc/ecb.
33         Applicable  only  to  encryption  and  for input data with last block
34         shorter than encryption block length.
35
36       · -o, --output=FILE or STDOUT:
37
38         The output file path for either the encrypted or decrypted data.   If
39         not specified, defaults to stdout.
40
41       · -G, --mode=ALGORITHM:
42
43         The  key  algorithm  associated with this object.  Defaults to object
44         properties or CFB if not defined.
45
46       · -t, --iv=FILE:
47
48         Optional initialization vector to use.  Defaults to 0's.  Syntax  al‐
49         lows  for  an input file and output file source to be specified.  The
50         input file path is first, optionally followed by a colon ":" and  the
51         output  iv  path.   This  output iv can be saved for subsequent calls
52         when chaining.
53
54       · ARGUMENT the command line argument specifies the input file path FILE
55         of the data to encrypt or decrypt.
56
57   References

Context Object Format

59       The  type  of a context object, whether it is a handle or file name, is
60       determined according to the following logic in-order:
61
62       · If the argument is a file path, then the file is loaded as a restored
63         TPM transient object.
64
65       · If the argument is a prefix match on one of:
66
67         · owner: the owner hierarchy
68
69         · platform: the platform hierarchy
70
71         · endorsement: the endorsement hierarchy
72
73         · lockout: the lockout control persistent object
74
75       · If  the  argument argument can be loaded as a number it will be treat
76         as a handle, e.g.  0x81010013 and used directly.OBJECT.
77

Authorization Formatting

79       Authorization for use of an object in TPM2.0 can come  in  3  different
80       forms: 1.  Password 2.  HMAC 3.  Sessions
81
82       NOTE:  "Authorizations  default  to  the EMPTY PASSWORD when not speci‐
83       fied".
84
85   Passwords
86       Passwords are interpreted in the following  forms  below  using  prefix
87       identifiers.
88
89       Note:  By  default  passwords are assumed to be in the string form when
90       they do not have a prefix.
91
92   String
93       A string password, specified by prefix  "str:"  or  it's  absence  (raw
94       string without prefix) is not interpreted, and is directly used for au‐
95       thorization.
96
97   Examples
98              foobar
99              str:foobar
100
101   Hex-string
102       A hex-string password, specified by prefix "hex:" is converted  from  a
103       hexidecimal  form  into a byte array form, thus allowing passwords with
104       non-printable and/or terminal un-friendly characters.
105
106   Example
107              hex:0x1122334455667788
108
109   File
110       A file based password, specified be prefix "file:" should be  the  path
111       of  a  file  containing the password to be read by the tool or a "-" to
112       use stdin.  Storing passwords in files  prevents  information  leakage,
113       passwords passed as options can be read from the process list or common
114       shell history features.
115
116   Examples
117              # to use stdin and be prompted
118              file:-
119
120              # to use a file from a path
121              file:path/to/password/file
122
123              # to echo a password via stdin:
124              echo foobar | tpm2_tool -p file:-
125
126              # to use a bash here-string via stdin:
127
128              tpm2_tool -p file:- <<< foobar
129
130   Sessions
131       When using a policy session to authorize the use of an  object,  prefix
132       the  option argument with the session keyword.  Then indicate a path to
133       a session file that was created with tpm2_startauthsession(1).  Option‐
134       ally, if the session requires an auth value to be sent with the session
135       handle (eg policy password), then append a + and a string as  described
136       in the Passwords section.
137
138   Examples
139       To use a session context file called session.ctx.
140
141              session:session.ctx
142
143       To use a session context file called session.ctx AND send the authvalue
144       mypassword.
145
146              session:session.ctx+mypassword
147
148       To use a session context file called session.ctx AND send the HEX auth‐
149       value 0x11223344.
150
151              session:session.ctx+hex:11223344
152
153   PCR Authorizations
154       You  can satisfy a PCR policy using the "pcr:" prefix and the PCR mini‐
155       language.      The     PCR     minilanguage     is     as      follows:
156       <pcr-spec>=<raw-pcr-file>
157
158       The PCR spec is documented in in the section "PCR bank specifiers".
159
160       The  raw-pcr-file  is an optional the output of the raw PCR contents as
161       returned by tpm2_pcrread(1).
162
163       PCR bank specifiers (common/pcr.md)
164
165   Examples
166       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
167       er of:
168
169              pcr:sha256:0,1,2,3
170
171       specifying AUTH.
172

Algorithm Specifiers

174       Options that take algorithms support "nice-names".
175
176       There  are two major algorithm specification string classes, simple and
177       complex.  Only certain algorithms will be accepted by the TPM, based on
178       usage and conditions.
179
180   Simple specifiers
181       These are strings with no additional specification data.  When creating
182       objects, non-specified portions of an object are assumed  to  defaults.
183       You can find the list of known "Simple Specifiers Below".
184
185   Asymmetric
186       · rsa
187
188       · ecc
189
190   Symmetric
191       · aes
192
193       · camellia
194
195   Hashing Algorithms
196       · sha1
197
198       · sha256
199
200       · sha384
201
202       · sha512
203
204       · sm3_256
205
206       · sha3_256
207
208       · sha3_384
209
210       · sha3_512
211
212   Keyed Hash
213       · hmac
214
215       · xor
216
217   Signing Schemes
218       · rsassa
219
220       · rsapss
221
222       · ecdsa
223
224       · ecdaa
225
226       · ecschnorr
227
228   Asymmetric Encryption Schemes
229       · oaep
230
231       · rsaes
232
233       · ecdh
234
235   Modes
236       · ctr
237
238       · ofb
239
240       · cbc
241
242       · cfb
243
244       · ecb
245
246   Misc
247       · null
248
249   Complex Specifiers
250       Objects,  when  specified  for creation by the TPM, have numerous algo‐
251       rithms to populate in the public data.  Things like  type,  scheme  and
252       asymmetric  details,  key  size,  etc.  Below is the general format for
253       specifying this data: <type>:<scheme>:<symmetric-details>
254
255   Type Specifiers
256       This portion of the complex algorithm specifier is required.   The  re‐
257       maining  scheme  and  symmetric  details will default based on the type
258       specified and the type of the object being created.
259
260       · aes - Default AES: aes128
261
262       · aes128<mode> - 128 bit AES with optional mode  (ctr|ofb|cbc|cfb|ecb).
263         If mode is not specified, defaults to null.
264
265       · aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
266
267       · aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
268
269       · ecc - Elliptical Curve, defaults to ecc256.
270
271       · ecc192 - 192 bit ECC
272
273       · ecc224 - 224 bit ECC
274
275       · ecc256 - 256 bit ECC
276
277       · ecc384 - 384 bit ECC
278
279       · ecc521 - 521 bit ECC
280
281       · rsa - Default RSA: rsa2048
282
283       · rsa1024 - RSA with 1024 bit keysize.
284
285       · rsa2048 - RSA with 2048 bit keysize.
286
287       · rsa4096 - RSA with 4096 bit keysize.
288
289   Scheme Specifiers
290       Next, is an optional field, it can be skipped.
291
292       Schemes  are  usually Signing Schemes or Asymmetric Encryption Schemes.
293       Most signing schemes take a hash algorithm directly following the sign‐
294       ing  scheme.   If the hash algorithm is missing, it defaults to sha256.
295       Some take no arguments, and some take multiple arguments.
296
297   Hash Optional Scheme Specifiers
298       These scheme specifiers are followed by a dash and a valid  hash  algo‐
299       rithm, For example: oaep-sha256.
300
301       · oaep
302
303       · ecdh
304
305       · rsassa
306
307       · rsapss
308
309       · ecdsa
310
311       · ecschnorr
312
313   Multiple Option Scheme Specifiers
314       This  scheme  specifier  is  followed by a count (max size UINT16) then
315       folloed by a dash(-) and a valid hash algorithm.  * ecdaa For  example,
316       ecdaa4-sha256.  If no count is specified, it defaults to 4.
317
318   No Option Scheme Specifiers
319       This scheme specifier takes NO arguments.  * rsaes
320
321   Symmetric Details Specifiers
322       This  field is optional, and defaults based on the type of object being
323       created and it's attributes.  Generally, any valid Symmetric  specifier
324       from  the Type Specifiers list should work.  If not specified, an asym‐
325       metric objects symmetric details defaults to aes128cfb.
326
327   Examples
328   Create an rsa2048 key with an rsaes asymmetric encryption scheme
329       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
330
331   Create an ecc256 key with an ecdaa signing scheme with a count of 4
332       and sha384 hash
333
334       /tpm2_create -C parent.ctx -G ecc256:ec‐
335       daa4-sha384 -u key.pub -r key.priv cryptographic algorithms ALGORITHM.
336

COMMON OPTIONS

338       This  collection of options are common to many programs and provide in‐
339       formation that many users may expect.
340
341       · -h, --help=[man|no-man]: Display the tools manpage.  By  default,  it
342         attempts  to  invoke  the  manpager for the tool, however, on failure
343         will output a short tool summary.  This is the same behavior  if  the
344         "man"  option argument is specified, however if explicit "man" is re‐
345         quested, the tool will provide errors from man  on  stderr.   If  the
346         "no-man"  option  if  specified, or the manpager fails, the short op‐
347         tions will be output to stdout.
348
349         To successfully use the manpages feature requires the manpages to  be
350         installed or on MANPATH, See man(1) for more details.
351
352       · -v,  --version:  Display version information for this tool, supported
353         tctis and exit.
354
355       · -V, --verbose: Increase the information that the tool prints  to  the
356         console  during  its  execution.  When using this option the file and
357         line number are printed.
358
359       · -Q, --quiet: Silence normal tool output to stdout.
360
361       · -Z, --enable-errata: Enable the application of errata fixups.  Useful
362         if  an  errata fixup needs to be applied to commands sent to the TPM.
363         Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.   in‐
364         formation many users may expect.
365

TCTI Configuration

367       The  TCTI  or  "Transmission  Interface" is the communication mechanism
368       with the TPM.  TCTIs can be changed for communication with TPMs  across
369       different mediums.
370
371       To control the TCTI, the tools respect:
372
373       1. The command line option -T or --tcti
374
375       2. The environment variable: TPM2TOOLS_TCTI.
376
377       Note:  The  command  line option always overrides the environment vari‐
378       able.
379
380       The current known TCTIs are:
381
382       · tabrmd     -     The     resource     manager,     called      tabrmd
383         (https://github.com/tpm2-software/tpm2-abrmd).   Note that tabrmd and
384         abrmd as a tcti name are synonymous.
385
386       · mssim - Typically used for communicating to the TPM software  simula‐
387         tor.
388
389       · device - Used when talking directly to a TPM device file.
390
391       · none  - Do not initalize a connection with the TPM.  Some tools allow
392         for off-tpm options and thus support not using a TCTI.  Tools that do
393         not  support  it  will error when attempted to be used without a TCTI
394         connection.  Does not support ANY options and MUST  BE  presented  as
395         the exact text of "none".
396
397       The  arguments  to  either  the  command line option or the environment
398       variable are in the form:
399
400       <tcti-name>:<tcti-option-config>
401
402       Specifying an empty string for  either  the  <tcti-name>  or  <tcti-op‐
403       tion-config> results in the default being used for that portion respec‐
404       tively.
405
406   TCTI Defaults
407       When a TCTI is not specified, the default TCTI is  searched  for  using
408       dlopen(3)  semantics.   The  tools  will  search for tabrmd, device and
409       mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND.  You  can  query
410       what TCTI will be chosen as the default by using the -v option to print
411       the version information.  The "default-tcti" key-value pair will  indi‐
412       cate which of the aforementioned TCTIs is the default.
413
414   Custom TCTIs
415       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
416       tools internally use dlopen(3), and the raw tcti-name value is used for
417       the lookup.  Thus, this could be a path to the shared library, or a li‐
418       brary name as understood by dlopen(3) semantics.
419

TCTI OPTIONS

421       This collection of options are used to configure the various known TCTI
422       modules available:
423
424       · device: For the device TCTI, the TPM character device file for use by
425         the device TCTI can be specified.  The default is /dev/tpm0.
426
427         Example:   -T   device:/dev/tpm0   or   export    TPM2TOOLS_TCTI="de‐
428         vice:/dev/tpm0"
429
430       · mssim:  For  the  mssim  TCTI, the domain name or IP address and port
431         number used by the simulator  can  be  specified.   The  default  are
432         127.0.0.1 and 2321.
433
434         Example:  -T  mssim:host=localhost,port=2321  or export TPM2TOOLS_TC‐
435         TI="mssim:host=localhost,port=2321"
436
437       · abrmd: For the abrmd TCTI, the configuration string format is  a  se‐
438         ries  of  simple  key value pairs separated by a ',' character.  Each
439         key and value string are separated by a '=' character.
440
441         · TCTI abrmd supports two keys:
442
443           1. 'bus_name' : The name of  the  tabrmd  service  on  the  bus  (a
444              string).
445
446           2. 'bus_type' : The type of the dbus instance (a string) limited to
447              'session' and 'system'.
448
449         Specify the tabrmd tcti name and a config string of  bus_name=com.ex‐
450         ample.FooBar:
451
452         \--tcti=tabrmd:bus_name=com.example.FooBar
453
454         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
455         sion:
456
457         \--tcti:bus_type=session
458
459         NOTE: abrmd and tabrmd are synonymous.  the various known  TCTI  mod‐
460         ules.
461

EXAMPLES

Create an AES key

464              tpm2_createprimary -c primary.ctx
465              tpm2_create -C primary.ctx -Gaes128 -u key.pub -r key.priv
466              tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
467

Encrypt and Decrypt some data

469              echo "my secret" > secret.dat
470              tpm2_encryptdecrypt -c key.ctx -o secret.enc secret.dat
471              tpm2_encryptdecrypt -d -c key.ctx -o secret.dec secret.enc
472              cat secret.dec
473              my secret
474

Returns

476       Tools can return any of the following codes:
477
478       · 0 - Success.
479
480       · 1 - General non-specific error.
481
482       · 2 - Options handling error.
483
484       · 3 - Authentication error.
485
486       · 4 - TCTI related error.
487
488       · 5 - Non supported scheme.  Applicable to tpm2_testparams.
489

BUGS

491       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
492

HELP

494       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
495
496
497
498tpm2-tools                                              tpm2_encryptdecrypt(1)
Impressum