Provided by: tpm2-tools_5.7-1_amd64 bug

NAME

       tss2_createkey(1) -

SYNOPSIS

       tss2_createkey [OPTIONS]

SEE ALSO

       fapi-config(5)  to  adjust Fapi parameters like the used cryptographic profile and TCTI or
       directories for the Fapi metadata storages.

       fapi-profile(5) to determine the cryptographic algorithms and parameters for all keys  and
       operations  of  a  specific  TPM  interaction like the name hash algorithm, the asymmetric
       signature algorithm, scheme and parameters and PCR bank selection.

DESCRIPTION

       tss2_createkey(1) - This commands creates a key inside the TPM and stores it in  the  FAPI
       metadata  store  and if requested persistently inside the TPM.  Depending on the specified
       key type, cryptographic algorithms and parameters for the created key  are  determined  by
       the corresponding cryptographic profile (cf., fapi-profile(5)).

OPTIONS

       These are the available options:

       • -p, --path=STRING:

         The path to the new key.

       • -t, --type=STRING:

         Identifies  the  intended  usage.  Optional parameter.  Types may be any comma-separated
         combination of:

                - "sign": Sets the sign attribute of a key.
                - "decrypt": Sets the decrypt attribute of a key.
                - Hint: If neither sign nor decrypt are provided, both attributes are set.
                - "restricted": Sets the restricted attribute of a key.
                - Hint: If restricted is set, sign or decrypt (but not both) need to be set.
                - "exportable": Clears the fixedTPM and fixedParent attributes of a key or
                  sealed object.
                - "noda": Sets the noda attribute of a key or NV index.
                - "system": Stores the data blobs and metadata for a created key or seal
                  in the system-wide directory instead of user's personal directory.
                - A hexadecimal number (e.g. "0x81000001"): Marks a key object to be
                  made persistent and sets the persistent object handle to this value.

       • -P, --policyPath=STRING:

         The policy to be associated with the new key.  Optional parameter.  If omitted  then  no
         policy will be associated with the key.

         A  policyPath  is  composed of two elements, separated by “/”.  A policyPath starts with
         “/policy”.  The second path element identifies the policy or  policy  template  using  a
         meaningful name.

       • -a, --authValue=STRING:

         The  new  UTF-8  password.   Optional  parameter.   If  it is neglected then the user is
         queried interactively for a password.  To set no password, this option  should  be  used
         with  the empty string (““).  The maximum password size is determined by the digest size
         of the chosen name hash algorithm in the cryptographic profile  (cf.,  fapi-profile(5)).
         For example, choosing SHA256 as hash algorithm, allows passwords of a maximum size of 32
         characters.

COMMON OPTIONS

       This collection of options are common to all tss2 programs and  provide  information  that
       many users may expect.

       • -h,  --help  [man|no-man]: Display the tools manpage.  By default, it attempts to invoke
         the manpager for the tool, however, on failure will output a short tool  summary.   This
         is  the  same  behavior  if  the “man” option argument is specified, however if explicit
         “man” is requested, the tool will provide errors from man on stderr.   If  the  “no-man”
         option if specified, or the manpager fails, the short options will be output to stdout.

         To  successfully  use  the  manpages feature requires the manpages to be installed or on
         MANPATH, See man(1) for more details.

       • -v, --version: Display version information for this tool, supported tctis and exit.

EXAMPLE

   Create a key without password
              tss2_createkey --path=HS/SRK/myRsaCryptKey --type="noDa, decrypt" --authValue=""

   Create a key, ask for password on the command line
              tss2_createkey --path=HS/SRK/myRsaCryptKey --type="noDa, decrypt"

   Create a key with password “abc”.
              tss2_createkey --path=HS/SRK/myRsaCryptKey --type="noDa, decrypt" --authValue=abc

RETURNS

       0 on success or 1 on failure.

BUGS

       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)

HELP

       See the Mailing List (https://lists.linuxfoundation.org/mailman/listinfo/tpm2)