|
|
tpmtool — GnuTLS TPM tool
tpmtool [ −flag [value] ...] [ −−opt−name [[=|]value] ...]
−d
number,
−−debug=numberEnable debugging. This option takes an integer number as its argument. The value of number is constrained to being:
in the range 0 through 9999
Specifies the debug level.
−−infile=fileInput file.
−−outfile=stringOutput file.
−−generate−rsaGenerate an RSA private-public key pair.
Generates an RSA private-public key pair in the TPM chip. The key may be stored in filesystem and protected by a PIN, or stored (registered) in the TPM chip flash.
−−registerAny generated key will be registered in the TPM. This option must appear in combination with the following options: generate-rsa.
−−signingAny generated key will be a signing key. This option must appear in combination with the following options: generate-rsa. This option must not appear in combination with any of the following options: legacy.
−−legacyAny generated key will be a legacy key. This option must appear in combination with the following options: generate-rsa. This option must not appear in combination with any of the following options: signing.
−−userAny registered key will be a user key. This option must appear in combination with the following options: register. This option must not appear in combination with any of the following options: system.
The generated key will be stored in a user specific persistent storage.
−−systemAny registred key will be a system key. This option must appear in combination with the following options: register. This option must not appear in combination with any of the following options: user.
The generated key will be stored in system persistent storage.
−−pubkey=urlPrints the public key of the provided key.
−−listLists all stored keys in the TPM.
−−delete=urlDelete the key identified by the given URL (UUID)..
−−sec−param=security
parameterSpecify the security level [low, legacy, normal, high, ultra]..
This is alternative to the bits option. Note however that the values allowed by the TPM chip are quantized and given values may be rounded up.
−−bits=numberSpecify the number of bits for key generate. This option takes an integer number as its argument.
−−inder, −−no−inderUse the DER format for keys.. The no−inder form
will disable the option.
The input files will be assumed to be in the portable DER format of TPM. The default format is a custom format used by various TPM tools
−−outder, −−no−outderUse DER format for output keys. The no−outder form
will disable the option.
The output will be in the TPM portable DER format.
−h,
−−helpDisplay usage information and exit.
−!,
−−more−helpPass the extended usage information through a pager.
−v
[{v|c|n}],
−−version[={v|c|n}]Output version of program and exit. The default mode is `v', a simple version. The `c' mode will print copyright information and `n' will print the full copyright notice.
To generate a key that is to be stored in filesystem use:
$ tpmtool −−generate−rsa −−bits 2048 −−outfile tpmkey.pem
To generate a key that is to be stored in TPM's flash use:
$ tpmtool −−generate−rsa −−bits 2048 −−register −−user
To get the public key of a TPM key use:
$ tpmtool −−pubkey tpmkey:uuid=58ad734b−bde6−45c7−89d8−756a55ad1891;storage=user −−outfile pubkey.pem
or if the key is stored in the filesystem:
$ tpmtool −−pubkey tpmkey:file=tmpkey.pem −−outfile pubkey.pem
To list all keys stored in TPM use:
$ tpmtool −−list
One of the following exit values will be returned:
0
(EXIT_SUCCESS)Successful program execution.
1
(EXIT_FAILURE)The operation failed or the command syntax was not valid.
70
(EX_SOFTWARE)libopts had an internal operational error. Please report it to autogen-users@lists.sourceforge.net. Thank you.