From: Ashok Kumar [mailto:firstname.lastname@example.org]
Sent: Thursday, March 26, 2020 6:49 AM
Subject: [tpm2] TPM Encryption Key
Our requirement is to encrypt the given data (for example, private key) with TPM
As and when required, decrypt the data using the TPM key and use it in the
To address this requirement, did the following.
First time initialization:
- Generated primary key under owner hierarchy
- Created the TPM symmetric key (which is used to encrypt/decrypt application
under the primary key.
- Used Esys_EvictControl() to store the TPM key handle in the TPM persistent
- Used Esys_TR_FromTPMPublic() to fetch existing TPM key handle from the
I don't understand, tpm2_evictcontrol will give you a persistent key handle that’s
Why did you do this step, to get an ESYS_TR handle?
I also urge folks to use transient memory. tpm2_create will provide a public and
private blob that can be loaded with tpm2_load and then used. Persistent memory
is only so big. So use wisely.
- Used Esys_EncryptDecrypt() to encrypt/decrypt the given data
Is this the right approach?
It worked fine with simulator. However, it failed with "command code not
supported" error with TPM device.
Not many TPMs support symmetric encryption:
Let's look into your TPMs supported command set, do:
$ tpm2_getcap commands | grep -i encrypt
If you don't have them, it won't work.
What you could do, is:
1. If you have to store externally generated private keys, use tpm2_import.
2. seal an AES key to the tpm with tpm2_create -I and wrap the key with that key.
1 is the better option. Because once you do that, you can scrub all unprotected
the key in plaintext, and let it be a managed TPM object, protected by the TPM.
esys/api/Esys_EncryptDecrypt.c:324:Esys_EncryptDecrypt_Finish() Received TPM
Esys Finish ErrorCode (0x00000143)
versa_tpm2_encrypt_decrypt.382: Esys_EncryptDecrypt failed; rc 0x143
main#568: Wrote 0 bytes of data
[admin@TPM2-VersaCSG-Ashok: ~] $ tpm2_rc_decode 0x143 error layer
description: Error produced by the TPM format 0 error code
description: command code not supported
From the tpm2_dump_capability, looks like Esys_EncryptDecrypt() and
Esys_EncryptDecrypt2() are not supported.
For our usecase, what could be the right alternative method to use? Shall we use
Esys_RSA_Encrypt()? In that case, which scheme is better? TPM2_ALG_RSAES or