tpm2_sign man page

tpm2_sign(1) — Sign a hash using the TPM.


tpm2_sign [Options]


tpm2_sign(1) signs an externally provided hash with the specified symmetric or asymmetric signing key. If keyHandle references a restricted signing key, then validation shall be provided, indicating that the TPM performed the hash of the data and validation shall indicate that hashed data did not start with TPM_GENERATED_VALUE. The scheme of keyHandle should not be TPM_ALG_NULL.


Common Options

This collection of options are common to many programs and provide information that many users may expect.

This collection of environment variables that may be used to configure the various TCTI modules available.

The values passed through these variables can be overridden on a per-command basis using the available command line options, see the TCTI_OPTIONS section.

The variables respected depend on how the software was configured.

Tcti Options

This collection of options are used to configure the varous TCTI modules available. They override any environment variables.

Password Formatting

Passwords are interpreted in two forms, string and hex-string. A string password is not interpreted, and is directly used for authorization. A hex-string, is converted from a hexidecimal form into a byte array form, thus allowing passwords with non-printable and/or terminal un-friendly characters.

By default passwords are assumed to be in the string form. Password form is specified with special prefix values, they are:

Supported Hash Algorithms

Supported hash algorithms are:

NOTE: Your TPM may not support all algorithms.

Algorithm Specfiers

Options that take algorithms support "nice-names". Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. The nice names are converted by stripping the leading TPM_ALG_ from the Algorithm Name field and converting it to lower case. For instance TPM_ALG_SHA3_256 becomes sha3_256.

The algorithms can be found at: <>

Signature Format Specifiers

Format selection for the signature output file. tss (the default) will output a binary blob according to the TPM 2.0 specification and any potential compiler padding. The option plain will output the plain signature data as defined by the used cryptographic algorithm. # EXAMPLES

tpm2_sign -k 0x81010001 -P abc123 -g sha256 -m <filePath> -s <filePath> -t <filePath>
tpm2_sign -c key.context -P abc123 -g sha256 -m <filePath> -s <filePath> -t <filePath>


0 on success or 1 on failure.


Github Issues (


See the Mailing List (


SEPTEMBER 2017 tpm2-tools General Commands Manual