tpm2_rsadecrypt man page

tpm2_rsadecrypt(1) — Performs an RSA Decryption operation using the TPM.


tpm2_tpm2_rsadecrypt [Options]


tpm2_rsadecrypt(1) performs RSA decryption using the indicated padding scheme according to IETF RFC 3447 (PKCS#1). The scheme of keyHandle should not be TPM_ALG_NULL.

The key referenced by keyHandle is required to be:


an RSA key


Have the attribute decrypt SET in it's attributes.


Common Options

This collection of options are common to many programs and provide information that many users may expect.

This collection of environment variables that may be used to configure the various TCTI modules available.

The values passed through these variables can be overridden on a per-command basis using the available command line options, see the TCTI_OPTIONS section.

The variables respected depend on how the software was configured.

Tcti Options

This collection of options are used to configure the varous TCTI modules available. They override any environment variables.

Password Formatting

Passwords are interpreted in two forms, string and hex-string. A string password is not interpreted, and is directly used for authorization. A hex-string, is converted from a hexidecimal form into a byte array form, thus allowing passwords with non-printable and/or terminal un-friendly characters.

By default passwords are assumed to be in the string form. Password form is specified with special prefix values, they are:


tpm2_rsadecrypt -k 0x81010001 -I -o plain.out


0 on success or 1 on failure.


Github Issues (


See the Mailing List (


SEPTEMBER 2017 tpm2-tools General Commands Manual