.\" Automatically generated by Pandoc 3.1.9 .\" .TH "tss2_createseal" "1" "APRIL 2019" "tpm2-tools" "General Commands Manual" .SH NAME \f[B]tss2_createseal\f[R](1) - .SH SYNOPSIS \f[B]tss2_createseal\f[R] [\f[I]OPTIONS\f[R]] .SH SEE ALSO \f[B]fapi-config(5)\f[R] to adjust Fapi parameters like the used cryptographic profile and TCTI or directories for the Fapi metadata storages. .PP \f[B]fapi-profile(5)\f[R] to determine the cryptographic algorithms and parameters for all keys and operations of a specific TPM interaction like the name hash algorithm, the asymmetric signature algorithm, scheme and parameters and PCR bank selection. .SH DESCRIPTION \f[B]tss2_createseal\f[R](1) - This command creates a sealed object and stores it in the FAPI metadata store. If no data is provided (i.e.\ a NULL-pointer) then the TPM generates random data and fills the sealed object. TPM signing schemes are used as specified in the cryptographic profile (cf., \f[B]fapi-profile(5)\f[R]). .SH OPTIONS These are the available options: .IP \[bu] 2 \f[B]-p\f[R], \f[B]--path\f[R]=\f[I]STRING\f[R]: .RS 2 .PP The path to the new key. .RE .IP \[bu] 2 \f[B]-t\f[R], \f[B]--type\f[R]=\f[I]STRING\f[R]: .RS 2 .PP Identifies the intended usage. Optional parameter. Types may be any comma-separated combination of: .IP .EX - \[dq]exportable\[dq]: Clears the fixedTPM and fixedParent attributes of a key or sealed object. - \[dq]noda\[dq]: Sets the noda attribute of a key or NV index. - \[dq]system\[dq]: Stores the data blobs and metadata for a created key or seal in the system-wide directory instead of user\[aq]s personal directory. - A hexadecimal number (e.g. \[dq]0x81000001\[dq]): Marks a key object to be made persistent and sets the persistent object handle to this value. .EE .RE .IP \[bu] 2 \f[B]-P\f[R], \f[B]--policyPath\f[R]=\f[I]STRING\f[R]: .RS 2 .PP Identifies the policy to be associated with the new key. Optional parameter. If omitted then no policy will be associated with the key. .PP A policyPath is composed of two elements, separated by \[lq]/\[rq]. A policyPath starts with \[lq]/policy\[rq]. The second path element identifies the policy or policy template using a meaningful name. .RE .IP \[bu] 2 \f[B]-a\f[R], \f[B]--authValue\f[R]=\f[I]STRING\f[R]: .RS 2 .PP The new UTF-8 password. Optional parameter. If it is neglected then the user is queried interactively for a password. To set no password, this option should be used with the empty string (\[lq]\[lq]). The maximum password size is determined by the digest size of the chosen name hash algorithm in the cryptographic profile (cf., \f[B]fapi-profile(5)\f[R]). For example, choosing SHA256 as hash algorithm, allows passwords of a maximum size of 32 characters. .RE .IP \[bu] 2 \f[B]-i\f[R], \f[B]--data\f[R]=\f[I]FILENAME\f[R] or \f[I]-\f[R] (for stdin): .RS 2 .PP The data to be sealed by the TPM. Optional parameter. Must not be used together with --size. .RE .IP \[bu] 2 \f[B]-s\f[R], \f[B]--size\f[R]=\f[I]INTEGER\f[R]: .RS 2 .PP Determines the number of random bytes the TPM should generate and seal. Optional parameter. Must not be \[lq]0\[rq]. Must no be used together with --data. .RE .SH COMMON OPTIONS This collection of options are common to all tss2 programs and provide information that many users may expect. .IP \[bu] 2 \f[B]-h\f[R], \f[B]--help [man|no-man]\f[R]: Display the tools manpage. By default, it attempts to invoke the manpager for the tool, however, on failure will output a short tool summary. This is the same behavior if the \[lq]man\[rq] option argument is specified, however if explicit \[lq]man\[rq] is requested, the tool will provide errors from man on stderr. If the \[lq]no-man\[rq] option if specified, or the manpager fails, the short options will be output to stdout. .RS 2 .PP To successfully use the manpages feature requires the manpages to be installed or on \f[I]MANPATH\f[R], See \f[B]man\f[R](1) for more details. .RE .IP \[bu] 2 \f[B]-v\f[R], \f[B]--version\f[R]: Display version information for this tool, supported tctis and exit. .SH EXAMPLE .SS Create a key with password \[lq]abc\[rq] and read sealing data from file. .IP .EX tss2_createseal --path=HS/SRK/mySealKey --type=\[dq]noDa\[dq] --authValue=abc --data=data.file .EE .SH RETURNS 0 on success or 1 on failure. .SH BUGS \c .UR https://github.com/tpm2-software/tpm2-tools/issues Github Issues .UE \c .SH HELP See the \c .UR https://lists.linuxfoundation.org/mailman/listinfo/tpm2 Mailing List .UE \c