tpm2_rsadecrypt(1)

1tpm2_rsadecrypt(1)          General Commands Manual         tpm2_rsadecrypt(1)
2
3
4

6       tpm2_rsadecrypt(1)  -  Performs  an  RSA decryption operation using the
7       TPM.
8

10       tpm2_rsadecrypt [OPTIONS] [ARGUMENT]
11

13       tpm2_rsadecrypt(1) - Performs RSA decryption on the  contents  of  file
14       using the indicated padding scheme according to IETF RFC 3447 (PKCS#1).
15       Command line argument defaults to stdin if not specified.
16
17       The key referenced by key-context is required to be:
18
19       1. An RSA key
20
21       2. Have the attribute decrypt SET in it's attributes.
22

24       · -c, --key-context=OBJECT:
25
26         Context object pointing to the the public portion of RSA key  to  use
27         for decryption.  Either a file or a handle number.  See section "Con‐
28         text Object Format".
29
30       · -p, --auth=AUTH:
31
32         Optional authorization value to use the key specified by -c.
33
34       · -o, --output=FILE:
35
36         Optional output file path to record the decrypted data to.   The  de‐
37         fault is to print the binary encrypted data to STDOUT.
38
39       · -s, --scheme=FORMAT:
40
41         Optional, set the padding scheme (defaults to rsaes).
42
43         · null - TPM_ALG_NULL uses the key's scheme if set.
44
45         · rsaes - TPM_ALG_RSAES which is RSAES_PKCSV1.5.
46
47         · oaep - TPM_ALG_OAEP which is RSAES_OAEP.
48
49       · -l, --label=FILE OR STRING:
50
51         Optional,  set  the  label data.The TPM requires the last byte of the
52         label to be zero, this is handled internally to the tool.   No  other
53         embedded 0 bytes can exist or the TPM will truncate your label.
54
55       · ARGUMENT the command line argument specifies the file containing data
56         to be decrypted.
57
58   References

60       The type of a context object, whether it is a handle or file  name,  is
61       determined according to the following logic in-order:
62
63       · If the argument is a file path, then the file is loaded as a restored
64         TPM transient object.
65
66       · If the argument is a prefix match on one of:
67
68         · owner: the owner hierarchy
69
70         · platform: the platform hierarchy
71
72         · endorsement: the endorsement hierarchy
73
74         · lockout: the lockout control persistent object
75
76       · If the argument argument can be loaded as a number it will  be  treat
77         as a handle, e.g.  0x81010013 and used directly.OBJECT.
78

80       Authorization  for  use  of an object in TPM2.0 can come in 3 different
81       forms: 1.  Password 2.  HMAC 3.  Sessions
82
83       NOTE: "Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
84       fied".
85
86   Passwords
87       Passwords  are  interpreted  in  the following forms below using prefix
88       identifiers.
89
90       Note: By default passwords are assumed to be in the  string  form  when
91       they do not have a prefix.
92
93   String
94       A  string  password,  specified  by  prefix "str:" or it's absence (raw
95       string without prefix) is not interpreted, and is directly used for au‐
96       thorization.
97
98   Examples
99              foobar
100              str:foobar
101
102   Hex-string
103       A  hex-string  password, specified by prefix "hex:" is converted from a
104       hexidecimal form into a byte array form, thus allowing  passwords  with
105       non-printable and/or terminal un-friendly characters.
106
107   Example
108              hex:0x1122334455667788
109
110   File
111       A  file  based password, specified be prefix "file:" should be the path
112       of a file containing the password to be read by the tool or  a  "-"  to
113       use  stdin.   Storing  passwords in files prevents information leakage,
114       passwords passed as options can be read from the process list or common
115       shell history features.
116
117   Examples
118              # to use stdin and be prompted
119              file:-
120
121              # to use a file from a path
122              file:path/to/password/file
123
124              # to echo a password via stdin:
125              echo foobar | tpm2_tool -p file:-
126
127              # to use a bash here-string via stdin:
128
129              tpm2_tool -p file:- <<< foobar
130
131   Sessions
132       When  using  a policy session to authorize the use of an object, prefix
133       the option argument with the session keyword.  Then indicate a path  to
134       a session file that was created with tpm2_startauthsession(1).  Option‐
135       ally, if the session requires an auth value to be sent with the session
136       handle  (eg policy password), then append a + and a string as described
137       in the Passwords section.
138
139   Examples
140       To use a session context file called session.ctx.
141
142              session:session.ctx
143
144       To use a session context file called session.ctx AND send the authvalue
145       mypassword.
146
147              session:session.ctx+mypassword
148
149       To use a session context file called session.ctx AND send the HEX auth‐
150       value 0x11223344.
151
152              session:session.ctx+hex:11223344
153
154   PCR Authorizations
155       You can satisfy a PCR policy using the "pcr:" prefix and the PCR  mini‐
156       language.       The     PCR     minilanguage     is     as     follows:
157       <pcr-spec>=<raw-pcr-file>
158
159       The PCR spec is documented in in the section "PCR bank specifiers".
160
161       The raw-pcr-file is an optional the output of the raw PCR  contents  as
162       returned by tpm2_pcrread(1).
163
164       PCR bank specifiers (common/pcr.md)
165
166   Examples
167       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
168       er of:
169
170              pcr:sha256:0,1,2,3
171
172       specifying AUTH.
173

175       This collection of options are common to many programs and provide  in‐
176       formation that many users may expect.
177
178       · -h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
179         attempts to invoke the manpager for the  tool,  however,  on  failure
180         will  output  a short tool summary.  This is the same behavior if the
181         "man" option argument is specified, however if explicit "man" is  re‐
182         quested,  the  tool  will  provide errors from man on stderr.  If the
183         "no-man" option if specified, or the manpager fails,  the  short  op‐
184         tions will be output to stdout.
185
186         To  successfully use the manpages feature requires the manpages to be
187         installed or on MANPATH, See man(1) for more details.
188
189       · -v, --version: Display version information for this  tool,  supported
190         tctis and exit.
191
192       · -V,  --verbose:  Increase the information that the tool prints to the
193         console during its execution.  When using this option  the  file  and
194         line number are printed.
195
196       · -Q, --quiet: Silence normal tool output to stdout.
197
198       · -Z, --enable-errata: Enable the application of errata fixups.  Useful
199         if an errata fixup needs to be applied to commands sent to  the  TPM.
200         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
201         formation many users may expect.
202

204       The TCTI or "Transmission Interface"  is  the  communication  mechanism
205       with  the TPM.  TCTIs can be changed for communication with TPMs across
206       different mediums.
207
208       To control the TCTI, the tools respect:
209
210       1. The command line option -T or --tcti
211
212       2. The environment variable: TPM2TOOLS_TCTI.
213
214       Note: The command line option always overrides  the  environment  vari‐
215       able.
216
217       The current known TCTIs are:
218
219       · tabrmd      -     The     resource     manager,     called     tabrmd
220         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
221         abrmd as a tcti name are synonymous.
222
223       · mssim  - Typically used for communicating to the TPM software simula‐
224         tor.
225
226       · device - Used when talking directly to a TPM device file.
227
228       · none - Do not initalize a connection with the TPM.  Some tools  allow
229         for off-tpm options and thus support not using a TCTI.  Tools that do
230         not support it will error when attempted to be used  without  a  TCTI
231         connection.   Does  not  support ANY options and MUST BE presented as
232         the exact text of "none".
233
234       The arguments to either the command  line  option  or  the  environment
235       variable are in the form:
236
237       <tcti-name>:<tcti-option-config>
238
239       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
240       tion-config> results in the default being used for that portion respec‐
241       tively.
242
243   TCTI Defaults
244       When  a  TCTI  is not specified, the default TCTI is searched for using
245       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
246       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
247       what TCTI will be chosen as the default by using the -v option to print
248       the  version information.  The "default-tcti" key-value pair will indi‐
249       cate which of the aforementioned TCTIs is the default.
250
251   Custom TCTIs
252       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
253       tools internally use dlopen(3), and the raw tcti-name value is used for
254       the lookup.  Thus, this could be a path to the shared library, or a li‐
255       brary name as understood by dlopen(3) semantics.
256

258       This collection of options are used to configure the various known TCTI
259       modules available:
260
261       · device: For the device TCTI, the TPM character device file for use by
262         the device TCTI can be specified.  The default is /dev/tpm0.
263
264         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI="de‐
265         vice:/dev/tpm0"
266
267       · mssim: For the mssim TCTI, the domain name or  IP  address  and  port
268         number  used  by  the  simulator  can  be specified.  The default are
269         127.0.0.1 and 2321.
270
271         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
272         TI="mssim:host=localhost,port=2321"
273
274       · abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
275         ries of simple key value pairs separated by a  ','  character.   Each
276         key and value string are separated by a '=' character.
277
278         · TCTI abrmd supports two keys:
279
280           1. 'bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
281              string).
282
283           2. 'bus_type' : The type of the dbus instance (a string) limited to
284              'session' and 'system'.
285
286         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
287         ample.FooBar:
288
289         \--tcti=tabrmd:bus_name=com.example.FooBar
290
291         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
292         sion:
293
294         \--tcti:bus_type=session
295
296         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
297         ules.
298

300   Create an RSA key and load it
301              tpm2_createprimary -c primary.ctx
302              tpm2_create -C primary.ctx -Grsa2048 -u key.pub -r key.priv
303              tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
304
305   Encrypt using RSA
306              echo "my message" > msg.dat
307              tpm2_rsaencrypt -c key.ctx -o msg.enc msg.dat
308
309   Decrypt using RSA
310              tpm2_rsadecrypt -c key.ctx -o msg.ptext msg.enc
311              cat msg.ptext
312              my message
313

315       Tools can return any of the following codes:
316
317       · 0 - Success.
318
319       · 1 - General non-specific error.
320
321       · 2 - Options handling error.
322
323       · 3 - Authentication error.
324
325       · 4 - TCTI related error.
326
327       · 5 - Non supported scheme.  Applicable to tpm2_testparams.
328

330       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
331

333       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
334
335
336
337tpm2-tools                                                  tpm2_rsadecrypt(1)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

Context Object Format

Authorization Formatting

COMMON OPTIONS

TCTI Configuration

TCTI OPTIONS

EXAMPLES

Returns

BUGS

HELP