.\" Automatically generated by Pandoc 2.9.2.1
.\"
.TH "tss2_createseal" "1" "APRIL 2019" "tpm2-tools" "General Commands Manual"
.hy
.SH NAME
.PP
\f[B]tss2_createseal\f[R](1) -
.SH SYNOPSIS
.PP
\f[B]tss2_createseal\f[R] [\f[I]OPTIONS\f[R]]
.SH SEE ALSO
.PP
\f[B]fapi-config(5)\f[R] to adjust Fapi parameters like the used
cryptographic profile and TCTI or directories for the Fapi metadata
storages.
.PP
\f[B]fapi-profile(5)\f[R] to determine the cryptographic algorithms and
parameters for all keys and operations of a specific TPM interaction
like the name hash algorithm, the asymmetric signature algorithm, scheme
and parameters and PCR bank selection.
.SH DESCRIPTION
.PP
\f[B]tss2_createseal\f[R](1) - This command creates a sealed object and
stores it in the FAPI metadata store.
If no data is provided (i.e.\ a NULL-pointer) then the TPM generates
random data and fills the sealed object.
TPM signing schemes are used as specified in the cryptographic profile
(cf., \f[B]fapi-profile(5)\f[R]).
.SH OPTIONS
.PP
These are the available options:
.IP \[bu] 2
\f[B]-p\f[R], \f[B]--path\f[R]=\f[I]STRING\f[R]:
.RS 2
.PP
The path to the new key.
.RE
.IP \[bu] 2
\f[B]-t\f[R], \f[B]--type\f[R]=\f[I]STRING\f[R]:
.RS 2
.PP
Identifies the intended usage.
Optional parameter.
Types may be any comma-separated combination of:
.IP
.nf
\f[C]
- \[dq]exportable\[dq]: Clears the fixedTPM and fixedParent attributes of a key or
  sealed object.
- \[dq]noda\[dq]: Sets the noda attribute of a key or NV index.
- \[dq]system\[dq]: Stores the data blobs and metadata for a created key or seal
  in the system-wide directory instead of user\[aq]s personal directory.
- A hexadecimal number (e.g. \[dq]0x81000001\[dq]): Marks a key object to be
  made persistent and sets the persistent object handle to this value.
\f[R]
.fi
.RE
.IP \[bu] 2
\f[B]-P\f[R], \f[B]--policyPath\f[R]=\f[I]STRING\f[R]:
.RS 2
.PP
Identifies the policy to be associated with the new key.
Optional parameter.
If omitted then no policy will be associated with the key.
.PP
A policyPath is composed of two elements, separated by \[lq]/\[rq].
A policyPath starts with \[lq]/policy\[rq].
The second path element identifies the policy or policy template using a
meaningful name.
.RE
.IP \[bu] 2
\f[B]-a\f[R], \f[B]--authValue\f[R]=\f[I]STRING\f[R]:
.RS 2
.PP
The new UTF-8 password.
Optional parameter.
If it is neglected then the user is queried interactively for a
password.
To set no password, this option should be used with the empty string
(\[dq]\[dq]).
The maximum password size is determined by the digest size of the chosen
name hash algorithm in the cryptographic profile (cf.,
\f[B]fapi-profile(5)\f[R]).
For example, choosing SHA256 as hash algorithm, allows passwords of a
maximum size of 32 characters.
.RE
.IP \[bu] 2
\f[B]-i\f[R], \f[B]--data\f[R]=\f[I]FILENAME\f[R] or \f[I]-\f[R] (for
stdin):
.RS 2
.PP
The data to be sealed by the TPM.
Optional parameter.
Must not be used together with --size.
.RE
.IP \[bu] 2
\f[B]-s\f[R], \f[B]--size\f[R]=\f[I]INTEGER\f[R]:
.RS 2
.PP
Determines the number of random bytes the TPM should generate and seal.
Optional parameter.
Must not be \[lq]0\[rq].
Must no be used together with --data.
.RE
.SH COMMON OPTIONS
.PP
This collection of options are common to all tss2 programs and provide
information that many users may expect.
.IP \[bu] 2
\f[B]-h\f[R], \f[B]--help [man|no-man]\f[R]: Display the tools manpage.
By default, it attempts to invoke the manpager for the tool, however, on
failure will output a short tool summary.
This is the same behavior if the \[lq]man\[rq] option argument is
specified, however if explicit \[lq]man\[rq] is requested, the tool will
provide errors from man on stderr.
If the \[lq]no-man\[rq] option if specified, or the manpager fails, the
short options will be output to stdout.
.RS 2
.PP
To successfully use the manpages feature requires the manpages to be
installed or on \f[I]MANPATH\f[R], See \f[B]man\f[R](1) for more
details.
.RE
.IP \[bu] 2
\f[B]-v\f[R], \f[B]--version\f[R]: Display version information for this
tool, supported tctis and exit.
.SH EXAMPLE
.SS Create a key with password \[lq]abc\[rq] and read sealing data from file.
.IP
.nf
\f[C]
tss2_createseal --path=HS/SRK/mySealKey --type=\[dq]noDa\[dq] --authValue=abc --data=data.file
\f[R]
.fi
.SH RETURNS
.PP
0 on success or 1 on failure.
.SH BUGS
.PP
Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
.SH HELP
.PP
See the Mailing
List (https://lists.linuxfoundation.org/mailman/listinfo/tpm2)