.TH "stpm\-keygen" "1" "1th December, 2013" "simple\-tpm\-pk11" ""
.SH "NAME"
stpm\-keygen \- Generate key pair for use with simple\-tpm\-pk11
.PP 
.SH "SYNOPSIS"
\fBstpm\-keygen\fP [ \-hps ] \-o \fIoutput file\fP
.PP 
.SH "DESCRIPTION"
\fIstpm\-keygen\fP generates a 2048 RSA key inside the TPM chip, and saves
the public key and the SRK\-encrypted private key (the \(dq\&blob\(dq\&) in the
\fIoutput file\fP\&.
.PP 
.SH "OPTIONS"
.IP "\-h"
Show usage info\&.
.IP "\-o \fIoutput file\fP"
Output file, where the public key and key blob
will be written\&.
.IP "\-p"
Create the key with a PIN / password\&. The password will
be prompted for inteactively\&.
.IP "\-s"
Ask for the SRK password interactively\&. By default the
\(dq\&Well Known Secret\(dq\& (20 nulls) is used\&. The SRK password is an
access token that must be presented for the TPM to perform any
operation that involves the TPM, and an actual secret password
is usually not required or useful\&.
.IP "\-S"
Generate key in software instead of hardware\&.
The choice between generating the key in software and hardware is
not an obvious one\&. It\(cq\&s hard to verify the quality of keys generated
in hardware (e\&.g\&. bugs or backdoors), but software keys have existed
in RAM at some point\&. And because software generated keys have to be generated as
migratable keys, they can be extracted by someone who knows the TPM owner
password\&. The recommended choice is to generate in hardware, which
is also the default\&.

.PP 
.SH "EXAMPLES"
.nf
.sp
.PP 
stpm\-keygen \-o ~/\&.simple\-tpm\-pk11/my\&.key
.PP 
stpm\-keygen \-p \-o ~/\&.simple\-tpm\-pk11/my\&.key
Enter key PIN: my secret password here
.PP 
stpm\-keygen \-sp \-o ~/\&.simple\-tpm\-pk11/my\&.key
Enter SRK PIN: 12345678
Enter key PIN: my secret password here
.fi
.in
.PP 
.SH "DIAGNOSTICS"
Most errors will probably be related to interacting with the TPM chip\&.
Resetting the TPM chip and taking ownership should take care of most
of them\&. See the \fITPM\-TROUBLESHOOTING\fP section of
\fBsimple\-tpm\-pk11(7)\fP\&.
.PP 
.SH "SEE ALSO"
\fBsimple\-tpm\-pk11(7)\fP, \fBstpm\-sign(1)\fP\&.
.PP 
http://blog\&.habets\&.se/2013/11/Should\-I\-generate\-my\-keys\-in\-software\-or\-hardware
.PP 
.SH "AUTHOR"
Simple\-TPM\-PK11 was written By Thomas Habets <habets@google\&.com>
/ <thomas@habets\&.se>\&.
.PP 
git clone https://github\&.com/ThomasHabets/simple\-tpm\-pk11\&.git