.\" Automatically generated by Pandoc 1.19.2.4 .\" .TH "tpm2tss\-genkey" "1" "JUNE 2018" "tpm2\-tss\-engine" "General Commands Manual" .hy .SH NAME .PP \f[B]tpm2tss\-genkey\f[](1) \-\- generate TPM keys for tpm2\-tss\-engine .SH SYNOPSIS .PP \f[B]tpm2tss\-genkey\f[] [\f[I]options\f[]] <\f[I]filename\f[]> .SH DESCRIPTION .PP \f[B]tpm2tss\-genkey\f[] creates a key inside a TPM 2.0 connected via the tpm2tss software stack. Those keys may be an RSA key for decryption or signing or an ECC key for ECDSA signatures. .PP The tool respects the OPENSSL_CONF option for specifying engine specific control parameters. See \f[C]man(5)\ config\f[] for details on openssl config files. .SH ARGUMENTS .PP The \f[C]tpm2tss\-genkey\f[] command expects a filename for storing the resulting TPM key information. This file can then be loaded with OpenSSL using \f[C]openssl\ pkeyutl\ \-engine\ tpm2tss\ \-keyform\ engine\ \-inkey\ \f[]. .SH OPTIONS .IP \[bu] 2 \f[C]\-a\ \f[], \f[C]\-\-alg\ \f[]: The public key algorithm (rsa, ecdsa) (default: rsa) .IP \[bu] 2 \f[C]\-c\ \f[], \f[C]\-\-curve\ \f[]: If alg ecdsa is chosen, the curve for ecc (default: nist_p256) .IP \[bu] 2 \f[C]\-e\ \f[], \f[C]\-\-exponent\ \f[]: If alg rsa is chosen, the exponent for rsa (default: 65537) .IP \[bu] 2 \f[C]\-h\f[], \f[C]\-\-help\f[]: Print help .IP \[bu] 2 \f[C]\-o\ \f[], \f[C]\-\-ownerpw\ \f[]: Password for the owner hierarchy (default: none) Openssl Config control command: \f[C]SET_OWNERAUTH\f[] .IP \[bu] 2 \f[C]\-p\ \f[], \f[C]\-\-password\ \f[]: Password for the created key (default: none) .IP \[bu] 2 \f[C]\-P\ \f[], \f[C]\-\-parent\ \f[]: Specific handle for the parent key (default: none) .IP \[bu] 2 \f[C]\-s\ \f[], \f[C]\-\-keysize\ \f[]: If alg rsa is chosen, the key size in bits (default: 2048) .IP \[bu] 2 \f[C]\-v\f[], \f[C]\-\-verbose\f[]: Print verbose messages .IP \[bu] 2 \f[C]\-W\ \f[], \f[C]\-\-parentpw\ \f[]: Password for the parent key (default: none) Openssl Config control command: \f[C]SET_PARENTAUTH\f[] .IP \[bu] 2 \f[C]\-t\ \f[], \f[C]\-\-tcti\ \f[]: TCTI Configuration string (default: none) Openssl Config control command: \f[C]SET_TCTI\f[] .SH EXAMPLES .PP Engine informations can be retrieved using: .IP .nf \f[C] $\ openssl\ engine\ \-t\ \-c\ tpm2tss \f[] .fi .PP The following sequence of commands creates an RSA key using the TPM, exports the public key, encrypts a data file and decrypts it using the TPM: .IP .nf \f[C] $\ openssl\-gentpm2tss\ \-a\ rsa\ \-k\ 2048\ mykey $\ openssl\ rsa\ \-engine\ tpm2tss\ \-inform\ engine\ \-in\ mykey\ \-pubout\ \-outform\ pem\ \-out\ mykey.pub $\ openssl\ pkeyutl\ \-pubin\ \-inkey\ mykey.pub\ \-in\ mydata\ \-encrypt\ \-out\ mycipher $\ openssl\ pkeyutl\ \-engine\ tpm2tss\ \-keyform\ engine\ \-inkey\ mykey\ \-decrypt\ \-in\ mycipher\ \-out\ mydata \f[] .fi .PP The following sequence of commands creates an RSA key using the TPM, exports the public key, signs a data file using the TPM and validates the signature: .IP .nf \f[C] $\ openssl\-gentpm2tss\ \-a\ rsa\ \-k\ 2048\ mykey $\ openssl\ rsa\ \-engine\ tpm2\ \-inform\ engine\ \-in\ mykey\ \-pubout\ \-outform\ pem\ \-out\ mykey.pub $\ openssl\ pkeyutl\ \-engine\ tpm2\ \-keyform\ engine\ \-inkey\ mykey\ \-sign\ \-in\ mydata\ \-out\ mysig $\ openssl\ pkeyutl\ \-inkey\ mykey.pub\ \-verify\ \-in\ mydata\ \-sigfile\ mysig \f[] .fi .PP The following sequence of commands creates an ECDSA key using the TPM, exports the public key, signs a data file using the TPM and validates the signature: .IP .nf \f[C] $\ openssl\-gentpm2tss\ \-a\ rsa\ \-k\ 2048\ mykey $\ openssl\ pkeyutl\ \-engine\ tpm2tss\ \-keyform\ engine\ \-inkey\ mykey\ \-sign\ \-in\ mydata\ \-out\ mysig $\ openssl\ pkeyutl\ \-engine\ tpm2tss\ \-keyform\ engine\ \-inkey\ mykey\ \-verify\ \-in\ mydata\ \-sigfile\ mysig \f[] .fi .SH RETURNS .PP 0 on success or 1 on failure. .SS AUTHOR .PP Written by Andreas Fuchs. .SS COPYRIGHT .PP tpm2tss is Copyright (C) 2017\-2018 Fraunhofer SIT sponsored by Infineon Technologies AG. License BSD 3\-clause. .SS SEE ALSO .PP openssl(1)