1tss2_createseal(1) General Commands Manual tss2_createseal(1)
2
3
4
6 tss2_createseal(1) -
7
9 tss2_createseal [OPTIONS]
10
12 fapi-config(5) to adjust Fapi parameters like the used cryptographic
13 profile and TCTI or directories for the Fapi metadata storages.
14
15 fapi-profile(5) to determine the cryptographic algorithms and parame‐
16 ters for all keys and operations of a specific TPM interaction like the
17 name hash algorithm, the asymmetric signature algorithm, scheme and pa‐
18 rameters and PCR bank selection.
19
21 tss2_createseal(1) - This command creates a sealed object and stores it
22 in the FAPI metadata store. If no data is provided (i.e. a NULL-point‐
23 er) then the TPM generates random data and fills the sealed object.
24 TPM signing schemes are used as specified in the cryptographic profile
25 (cf., fapi-profile(5)).
26
28 These are the available options:
29
30 • -p, --path=STRING:
31
32 The path to the new key.
33
34 • -t, --type=STRING:
35
36 Identifies the intended usage. Optional parameter. Types may be any
37 comma-separated combination of:
38
39 - "exportable": Clears the fixedTPM and fixedParent attributes of a key or
40 sealed object.
41 - "noda": Sets the noda attribute of a key or NV index.
42 - "system": Stores the data blobs and metadata for a created key or seal
43 in the system-wide directory instead of user's personal directory.
44 - A hexadecimal number (e.g. "0x81000001"): Marks a key object to be
45 made persistent and sets the persistent object handle to this value.
46
47 • -P, --policyPath=STRING:
48
49 Identifies the policy to be associated with the new key. Optional
50 parameter. If omitted then no policy will be associated with the
51 key.
52
53 A policyPath is composed of two elements, separated by “/”. A poli‐
54 cyPath starts with “/policy”. The second path element identifies the
55 policy or policy template using a meaningful name.
56
57 • -a, --authValue=STRING:
58
59 The new UTF-8 password. Optional parameter. If it is neglected then
60 the user is queried interactively for a password. To set no pass‐
61 word, this option should be used with the empty string (""). The
62 maximum password size is determined by the digest size of the chosen
63 name hash algorithm in the cryptographic profile (cf., fapi-pro‐
64 file(5)). For example, choosing SHA256 as hash algorithm, allows
65 passwords of a maximum size of 32 characters.
66
67 • -i, --data=FILENAME or - (for stdin):
68
69 The data to be sealed by the TPM. Optional parameter. Must not be
70 used together with --size.
71
72 • -s, --size=INTEGER:
73
74 Determines the number of random bytes the TPM should generate and
75 seal. Optional parameter. Must not be “0”. Must no be used togeth‐
76 er with --data.
77
79 This collection of options are common to all tss2 programs and provide
80 information that many users may expect.
81
82 • -h, --help [man|no-man]: Display the tools manpage. By default, it
83 attempts to invoke the manpager for the tool, however, on failure
84 will output a short tool summary. This is the same behavior if the
85 “man” option argument is specified, however if explicit “man” is re‐
86 quested, the tool will provide errors from man on stderr. If the
87 “no-man” option if specified, or the manpager fails, the short op‐
88 tions will be output to stdout.
89
90 To successfully use the manpages feature requires the manpages to be
91 installed or on MANPATH, See man(1) for more details.
92
93 • -v, --version: Display version information for this tool, supported
94 tctis and exit.
95
97 Create a key with password “abc” and read sealing data from file.
98 tss2_createseal --path=HS/SRK/mySealKey --type="noDa" --authValue=abc --data=data.file
99
101 0 on success or 1 on failure.
102
104 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
105
107 See the Mailing List (https://lists.linuxfoundation.org/mailman/listin‐
108 fo/tpm2)
109
110
111
112tpm2-tools APRIL 2019 tss2_createseal(1)