NAME¶
stpm-keygen - Generate key pair for use with simple-tpm-pk11
SYNOPSIS¶
stpm-keygen [ -hps ] -o
output file
DESCRIPTION¶
stpm-keygen generates a 2048 RSA key inside the TPM chip, and saves the
public key and the SRK-encrypted private key (the "blob") in the
output file.
OPTIONS¶
- -h
- Show usage info.
- -o output file
- Output file, where the public key and key blob will be written.
- -p
- Create the key with a PIN / password. The password will be prompted for
inteactively.
- -s
- Ask for the SRK password interactively. By default the "Well Known
Secret" (20 nulls) is used. The SRK password is an access token that
must be presented for the TPM to perform any operation that involves the
TPM, and an actual secret password is usually not required or useful.
- -S
- Generate key in software instead of hardware. The choice between
generating the key in software and hardware is not an obvious one.
It’s hard to verify the quality of keys generated in hardware (e.g.
bugs or backdoors), but software keys have existed in RAM at some point.
And because software generated keys have to be generated as migratable
keys, they can be extracted by someone who knows the TPM owner password.
The recommended choice is to generate in hardware, which is also the
default.
EXAMPLES¶
stpm-keygen -o ~/.simple-tpm-pk11/my.key
stpm-keygen -p -o ~/.simple-tpm-pk11/my.key
Enter key PIN: my secret password here
stpm-keygen -sp -o ~/.simple-tpm-pk11/my.key
Enter SRK PIN: 12345678
Enter key PIN: my secret password here
DIAGNOSTICS¶
Most errors will probably be related to interacting with the TPM chip. Resetting
the TPM chip and taking ownership should take care of most of them. See the
TPM-TROUBLESHOOTING section of
simple-tpm-pk11(7).
SEE ALSO¶
simple-tpm-pk11(7),
stpm-sign(1).
http://blog.habets.se/2013/11/Should-I-generate-my-keys-in-software-or-hardware
AUTHOR¶
Simple-TPM-PK11 was written By Thomas Habets <habets@google.com> /
<thomas@habets.se>.
git clone
https://github.com/ThomasHabets/simple-tpm-pk11.git