Provided by: simple-tpm-pk11_0.06-5_amd64 bug

NAME

       stpm-keygen - Generate key pair for use with simple-tpm-pk11

SYNOPSIS

       stpm-keygen [ -hps ] -o output file

DESCRIPTION

       stpm-keygen generates a 2048 RSA key inside the TPM chip, and saves the public key and the
       SRK-encrypted private key (the "blob") in the output file.

OPTIONS

       -h     Show usage info.

       -o output file
              Output file, where the public key and key blob will be written.

       -p     Create the  key  with  a  PIN  /  password.  The  password  will  be  prompted  for
              inteactively.

       -s     Ask  for  the  SRK  password  interactively. By default the "Well Known Secret" (20
              nulls) is used. The SRK password is an access token that must be presented for  the
              TPM  to  perform any operation that involves the TPM, and an actual secret password
              is usually not required or useful.

       -S     Generate key in software instead of hardware.  The choice  between  generating  the
              key in software and hardware is not an obvious one. It’s hard to verify the quality
              of keys generated in hardware (e.g. bugs or  backdoors),  but  software  keys  have
              existed  in  RAM  at  some  point.  And  because software generated keys have to be
              generated as migratable keys, they can be extracted by someone who  knows  the  TPM
              owner  password.  The  recommended choice is to generate in hardware, which is also
              the default.

EXAMPLES

       stpm-keygen -o ~/.simple-tpm-pk11/my.key

       stpm-keygen -p -o ~/.simple-tpm-pk11/my.key
       Enter key PIN: my secret password here

       stpm-keygen -sp -o ~/.simple-tpm-pk11/my.key
       Enter SRK PIN: 12345678
       Enter key PIN: my secret password here

DIAGNOSTICS

       Most errors will probably be related to interacting with the TPM chip.  Resetting the  TPM
       chip  and  taking  ownership should take care of most of them. See the TPM-TROUBLESHOOTING
       section of simple-tpm-pk11(7).

SEE ALSO

       simple-tpm-pk11(7), stpm-sign(1).

       http://blog.habets.se/2013/11/Should-I-generate-my-keys-in-software-or-hardware

AUTHOR

       Simple-TPM-PK11 was written By Thomas Habets <habets@google.com> / <thomas@habets.se>.

       git clone https://github.com/ThomasHabets/simple-tpm-pk11.git