tpm2tss-genkey - Man Page

generate TPM keys for tpm2-tss-engine

Synopsis

tpm2tss-genkey [options] <filename>

Description

tpm2tss-genkey creates a key inside a TPM 2.0 connected via the tpm2tss software stack. Those keys may be an RSA key for decryption or signing or an ECC key for ECDSA signatures.

The tool respects the OPENSSL_CONF option for specifying engine specific control parameters. See man(5) config for details on openssl config files.

Arguments

The tpm2tss-genkey command expects a filename for storing the resulting TPM key information. This file can then be loaded with OpenSSL using openssl pkeyutl -engine tpm2tss -keyform engine -inkey <filename>.

Options

Examples

Engine informations can be retrieved using:

$ openssl engine -t -c tpm2tss

The following sequence of commands creates an RSA key using the TPM, exports the public key, encrypts a data file and decrypts it using the TPM:

$ openssl-gentpm2tss -a rsa -k 2048 mykey
$ openssl rsa -engine tpm2tss -inform engine -in mykey -pubout -outform pem -out mykey.pub
$ openssl pkeyutl -pubin -inkey mykey.pub -in mydata -encrypt -out mycipher
$ openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -decrypt -in mycipher -out mydata

The following sequence of commands creates an RSA key using the TPM, exports the public key, signs a data file using the TPM and validates the signature:

$ openssl-gentpm2tss -a rsa -k 2048 mykey
$ openssl rsa -engine tpm2 -inform engine -in mykey -pubout -outform pem -out mykey.pub
$ openssl pkeyutl -engine tpm2 -keyform engine -inkey mykey -sign -in mydata -out mysig
$ openssl pkeyutl -inkey mykey.pub -verify -in mydata -sigfile mysig

The following sequence of commands creates an ECDSA key using the TPM, exports the public key, signs a data file using the TPM and validates the signature:

$ openssl-gentpm2tss -a rsa -k 2048 mykey
$ openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -sign -in mydata -out mysig
$ openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -verify -in mydata -sigfile mysig

Returns

0 on success or 1 on failure.

Author

Written by Andreas Fuchs.

See Also

openssl(1)

Info

JUNE 2018 tpm2-tss-engine General Commands Manual