1tpm2tss-genkey(1) General Commands Manual tpm2tss-genkey(1)
2
6 tpm2tss-genkey(1) -- generate TPM keys for tpm2-tss-engine
7
9 tpm2tss-genkey [options] <filename>
10
12 tpm2tss-genkey creates a key inside a TPM 2.0 connected via the tpm2tss
13 software stack. Those keys may be an RSA key for decryption or signing
14 or an ECC key for ECDSA signatures.
15 The tool respects the OPENSSL_CONF option for specifying engine specif‐
17 ic control parameters. See man(5) config for details on openssl config
18 files.
19
21 The tpm2tss-genkey command expects a filename for storing the resulting
22 TPM key information. This file can then be loaded with OpenSSL using
23 openssl pkeyutl -engine tpm2tss -keyform engine -inkey <filename>.
24
26 · -a <algorithm>, --alg <algorithm>: The public key algorithm (rsa,
27 ecdsa) (default: rsa)
28 · -c <curve>, --curve <curve>: If alg ecdsa is chosen, the curve for
30 ecc (default: nist_p256)
31 · -e <exponent>, --exponent <exponent>: If alg rsa is chosen, the expo‐
33 nent for rsa (default: 65537)
34 · -h, --help: Print help
36 · -o <password>, --ownerpw <password>: Password for the owner hierarchy
38 (default: none) Openssl Config control command: SET_OWNERAUTH
39 · -p <password>, --password <password>: Password for the created key
41 (default: none)
42 · -P <handle>, --parent <handle>: Specific handle for the parent key
44 (default: none)
45 · -s <keysize>, --keysize <keysize>: If alg rsa is chosen, the key size
47 in bits (default: 2048)
48 · -v, --verbose: Print verbose messages
50 · -W <password>, --parentpw <password>: Password for the parent key
52 (default: none) Openssl Config control command: SET_PARENTAUTH
53 · -t <tcti-conf>, --tcti <tcti-conf>: TCTI Configuration string (de‐
55 fault: none) Openssl Config control command: SET_TCTI
56
58 Engine informations can be retrieved using:
59 $ openssl engine -t -c tpm2tss
61 The following sequence of commands creates an RSA key using the TPM,
63 exports the public key, encrypts a data file and decrypts it using the
64 TPM:
65 $ openssl-gentpm2tss -a rsa -k 2048 mykey
67 $ openssl rsa -engine tpm2tss -inform engine -in mykey -pubout -outform pem -out mykey.pub
68 $ openssl pkeyutl -pubin -inkey mykey.pub -in mydata -encrypt -out mycipher
69 $ openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -decrypt -in mycipher -out mydata
70 The following sequence of commands creates an RSA key using the TPM,
72 exports the public key, signs a data file using the TPM and validates
73 the signature:
74 $ openssl-gentpm2tss -a rsa -k 2048 mykey
76 $ openssl rsa -engine tpm2 -inform engine -in mykey -pubout -outform pem -out mykey.pub
77 $ openssl pkeyutl -engine tpm2 -keyform engine -inkey mykey -sign -in mydata -out mysig
78 $ openssl pkeyutl -inkey mykey.pub -verify -in mydata -sigfile mysig
79 The following sequence of commands creates an ECDSA key using the TPM,
81 exports the public key, signs a data file using the TPM and validates
82 the signature:
83 $ openssl-gentpm2tss -a rsa -k 2048 mykey
85 $ openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -sign -in mydata -out mysig
86 $ openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -verify -in mydata -sigfile mysig
87
89 0 on success or 1 on failure.
90 AUTHOR
92 Written by Andreas Fuchs.
93 COPYRIGHT
95 tpm2tss is Copyright (C) 2017-2018 Fraunhofer SIT sponsored by Infineon
96 Technologies AG. License BSD 3-clause.
97 SEE ALSO
99 openssl(1)
100tpm2-tss-engine JUNE 2018 tpm2tss-genkey(1)