Provided by: tpm2-tools_3.1.3-2_amd64 bug

NAME

       tpm2_rsaencrypt(1) - Performs an RSA Encryption operation using the TPM.

SYNOPSIS

       tpm2_rsaencrypt [OPTIONS] FILE

DESCRIPTION

       tpm2_rsaencrypt(1)  performs  RSA encryption on the contents of FILE (defaulting to stdin)
       using the indicated padding scheme according to IETF RFC 3447  (PKCS#1).   The  scheme  of
       keyHandle should not be TPM_ALG_NULL.

       The key referenced by keyHandle is required to be:

       1. an RSA key

       2. Have the attribute decrypt SET in it's attributes.

OPTIONS

       · -k, –key-handle=KEY_HANDLE:

         the public portion of RSA key to use for encryption.

       · -c, –key-context=KEY_CONTEXT_FILE:

         filename of the key context used for the operation.

       · -P, –pwdk=KEY_PASSWORD:

         specifies  the  password of KEY_HANDLE.  Passwords should follow the password formatting
         standards, see section “Password Formatting”.

       · -o, –out-file=OUTPUT_FILE:

         Output file path, record the decrypted data.  The default is to print an xxd  compatible
         hexdump to stdout.  If a file is specified, raw binary output is performed.

       · -S, –input-session-handle=SESSION_HANDLE:

         Optional Input session handle from a policy session for authorization.

COMMON OPTIONS

       This  collection  of options are common to many programs and provide information that many
       users may expect.

       · -h, –help: Display the tools manpage.  This requires the manpages to be installed or  on
         MANPATH, See man(1) for more details.

       · -v, –version: Display version information for this tool, supported tctis and exit.

       · -V,  –verbose:  Increase  the information that the tool prints to the console during its
         execution.  When using this option the file and line number are printed.

       · -Q, –quiet: Silence normal tool output to stdout.

       · -Z, –enable-errata: Enable the application of errata fixups.  Useful if an errata  fixup
         needs to be applied to commands sent to the TPM.  # TCTI ENVIRONMENT

       This  collection  of  environment variables that may be used to configure the various TCTI
       modules available.

       The values passed through these variables can be overridden on a per-command  basis  using
       the available command line options, see the TCTI_OPTIONS section.

       The variables respected depend on how the software was configured.

       · TPM2TOOLS_TCTI_NAME: Select the TCTI used for communication with the next component down
         the TSS stack.  In most configurations this will be the TPM but it could be a  simulator
         or proxy.  The current known TCTIs are:

         · tabrmd       -       The       new      resource      manager,      called      tabrmd
           (https://github.com/01org/tpm2-abrmd).

         · socket - Typically used with the old  resource  manager,  or  talking  directly  to  a
           simulator.

         · device - Used when talking directly to a TPM device file.

       · TPM2TOOLS_DEVICE_FILE:  When  using  the  device TCTI, specify the TPM device file.  The
         default is “/dev/tpm0”.

         Note: Using the tpm directly requires the users to ensure that  concurrent  access  does
         not  occur and that they manage the tpm resources.  These tasks are usually managed by a
         resource manager.  Linux 4.12 and greater supports an  in  kernel  resource  manager  at
         “/dev/tpmrm”, typically “/dev/tpmrm0”.

       · TPM2TOOLS_SOCKET_ADDRESS:  When  using  the  socket  TCTI, specify the domain name or IP
         address used.  The default is 127.0.0.1.

       · TPM2TOOLS_SOCKET_PORT: When using the socket TCTI, specify the port  number  used.   The
         default is 2321.

TCTI OPTIONS

       This  collection of options are used to configure the varous TCTI modules available.  They
       override any environment variables.

       · -T, –tcti=TCTI_NAME[:TCTI_OPTIONS]: Select the TCTI used for communication with the next
         component down the TSS stack.  In most configurations this will be the resource manager:
         tabrmd  (https://github.com/01org/tpm2-abrmd)  Optionally,  tcti  specific  options  can
         appended to TCTI_NAME by appending a : to TCTI_NAME.

         · For  the device TCTI, the TPM device file for use by the device TCTI can be specified.
           The default is /dev/tpm0.  Example: -T device:/dev/tpm0

         · For the socket TCTI, the domain name or IP address and port number used by the  socket
           can   be   specified.    The   default   are   127.0.0.1   and   2321.    Example:  -T
           socket:127.0.0.1:2321

         · For the abrmd TCTI, it takes no options.  Example: -T abrmd

Password Formatting

       Passwords are interpreted in two forms, string and hex-string.  A string password  is  not
       interpreted,  and  is  directly used for authorization.  A hex-string, is converted from a
       hexidecimal form into a byte array form, thus allowing passwords with non-printable and/or
       terminal un-friendly characters.

       By  default  passwords  are  assumed to be in the string form.  Password form is specified
       with special prefix values, they are:

       · str: - Used to indicate it is a raw string.  Useful for escaping a password that  starts
         with the “hex:” prefix.

       · hex: - Used when specifying a password in hex string format.

EXAMPLES

              tpm2_rsaencrypt -k 0x81010001 -I plain.in -o encrypted.out

RETURNS

       0 on success or 1 on failure.

BUGS

       Github Issues (https://github.com/01org/tpm2-tools/issues)

HELP

       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)