Our requirement is to encrypt the given data (for example, private key)
with TPM key.
As and when required, decrypt the data using the TPM key and use it in the
To address this requirement, did the following.
First time initialization:
- Generated primary key under owner hierarchy
- Created the TPM symmetric key (which is used to encrypt/decrypt
under the primary key.
- Used Esys_EvictControl() to store the TPM key handle in the TPM
- Used Esys_TR_FromTPMPublic() to fetch existing TPM key handle from the
- Used Esys_EncryptDecrypt() to encrypt/decrypt the given data
Is this the right approach?
It worked fine with simulator. However, it failed with "command code not
with TPM device.
Received TPM Error
Esys Finish ErrorCode (0x00000143)
versa_tpm2_encrypt_decrypt.382: Esys_EncryptDecrypt failed; rc 0x143
main#568: Wrote 0 bytes of data
[admin@TPM2-VersaCSG-Ashok: ~] $ tpm2_rc_decode 0x143
description: Error produced by the TPM
format 0 error code
description: command code not supported
From the tpm2_dump_capability, looks like Esys_EncryptDecrypt() and
Esys_EncryptDecrypt2() are not supported.
For our usecase, what could be the right alternative method to use? Shall
Esys_RSA_Encrypt()? In that case, which scheme is better? TPM2_ALG_RSAES or