tss2_createkey(1) - This commands creates a key inside the TPM and stores it in the FAPI metadata store and if requested persistently inside the TPM.
These are the available options:
-p, --path STRING:
The path to the new key.
-t, --type STRING:
Identifies the intended usage. Optional parameter. Types may be any comma-separated combination of:
- "sign": Sets the sign attribute of a key. - "decrypt": Sets the decrypt attribute of a key. - Hint: If neither sign nor decrypt are provided, both attributes are set. - "restricted": Sets the restricted attribute of a key. - Hint: If restricted is set, sign or decrypt (but not both) need to be set. - "exportable": Clears the fixedTPM and fixedParent attributes of a key or sealed object. - "noda": Sets the noda attribute of a key or NV index. - "system": Stores the data blobs and metadata for a created key or seal in the system-wide directory instead of user's personal directory. - A hexadecimal number (e.g. "0x81000001"): Marks a key object to be made persistent and sets the persistent object handle to this value.
-P, --policyPath STRING:
The policy to be associated with the new key. Optional parameter. If omitted then no policy will be associated with the key.
A policyPath is composed of two elements, separated by “/”. A policyPath starts with “/policy”. The second path element identifies the policy or policy template using a meaningful name.
-a, --authValue STRING:
The new UTF-8 password. Optional parameter. If it is neglected then the user is queried interactively for a password. To set no password, this option should be used with the empty string ("").
This collection of options are common to all tss2 programs and provide information that many users may expect.
-h, --help [man|no-man]: Display the tools manpage. By default, it attempts to invoke the manpager for the tool, however, on failure will output a short tool summary. This is the same behavior if the “man” option argument is specified, however if explicit “man” is requested, the tool will provide errors from man on stderr. If the “no-man” option if specified, or the manpager fails, the short options will be output to stdout.
To successfully use the manpages feature requires the manpages to be installed or on MANPATH, See man(1) for more details.
- -v, --version: Display version information for this tool, supported tctis and exit.
Create a key without password
tss2_createkey --path HS/SRK/myRsaCryptKey --type "noDa, decrypt" --authValue ""
Create a key, ask for password on the command line
tss2_createkey --path HS/SRK/myRsaCryptKey --type "noDa, decrypt"
Create a key with password “abc”.
tss2_createkey --path HS/SRK/myRsaCryptKey --type "noDa, decrypt" --authValue abc
0 on success or 1 on failure.
Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)