1. Manuals
  2. Tumbleweed
  3. openssl_tpm2_engine
  4. seal_tpm2_data(1)

Scroll to navigation

SEAL_TPM2_DATA(1) User Commands SEAL_TPM2_DATA(1)

NAME

seal_tpm2_data - seal a blob of data for a TPM

SYNOPSIS

seal_tpm2_data [options] <filename>

DESCRIPTION

Used to create a sealed blob of data which can be unsealed via the TPM. Possible uses for this blob of data include as a symmetric key, which is the use in the linux kernel trusted key infrastructure.

OPTIONS

The data blob requires authorization
Specify the parent key password (default EmptyAuth)
mark the key as having Dictionary Attack implications. This means that if the key password is incorrectly presented too many times, the TPM may Implement DA mitigation and refuse connections for a while
print this help message
parent for the key, can either be a persistent key or a hierarchy. the hierarchies can be 'platform', 'owner', 'null' or 'endorsement'. The seeds used for derivation are platform, storage, null or endorsement respectively
print package version
use this password instead of prompting
Create a sealed data bundle that can be migrated to other systems.
name algorithm to use sha1 [sha256] sha384 sha512
Lock the created key to the specified PCRs By current value. See PCR VALUES for details about formatting
Can only be unsealed in a set of localities described by the <loc> bitmap
Add a signed policy directive that allows policies signed by the specified public <key> to authorize unsealing
Tie authorization of the key to the Authorization of a different object Identified by <handle>.
Create an importable key with the outer wrapper encrypted to <pubkey>
Specify a policy for unsealing the data

PCR VALUES

The PCR values are specified as


<bank>:<list>

Where <bank> is any supported PCR hash bank and list specifies the PCRs to lock the key to as both comma separated individual values as well as comma separated ranges. So


sha256:1,3 means PCRs 1 and 3 in the sha256 bank


sha512:1,3-5 means PCRs 1,3,4 and 5 in the sha512 bank

IMPORT

In some cases, there may be a need to wrap a key without access to the TPM it will be use on. For these cases an importable key may be specified with the --import option. For this to work, you must use a public key corresponding exactly to the one the importing TPM will use (Note: only Elliptic Curve parents are currently supported). For instance the owner seed elliptic curve storage key may be produced as

tsscreateprimary -hi o -st -ecc nistp256 -opem parent.pub

Then a sealed data file may be wrapped to the TPM via:

echo "data" | seal_tpm2_data --import parent.pub seal.tpm

Note that certain parameters must be assumed about a parent when it is wrapped, like the template (must be standard restricted decryption key) and the name hash (must be sha256).

SECRETS IN OTHER OBJECTS

When the option --secrets <handle> is used, it creates a sealed blob whose authorization password is conditioned on the password of a different object identified by <handle>. Usually this is a permanent NV index, but could be any object. The design of this policy is to allow the password to be changed without updating the sealed blob (simply by changing the authorization of the other object). Because most unseal applications can only request a single password, blobs with a --secret policy may not additionally have an --auth option to also require passing in the password embedded in the blob.

SIGNED POLICIES

When the option --signed-policy <key> is used, it creates a sealed blob whose policy can be extended by anyone possessing the private part of <key>. The <key> presented must be a public key (so the owner of the private key doesn't have to be the owner of the created tpm sealed blob).

Note that sealed blobs created with --signed-policy cannot be used until at least one signed policy is added.

EXAMPLES

Create a sealed data blob to the storage parent (owner hierarchy)


echo somedatatoseal | seal_tpm2_key -p owner seal.tpm

Unseal the data


unseal_tpm2_key seal.tpm

AUTHOR

Written by James Bottomley <James.Bottomley@HansenPartnership.com>

REPORTING BUGS

Report bugs to <openssl-tpm2-engine@groups.io>

COPYRIGHT

Copyright 2017 by James Bottomley License LGPL-2.1-only

April 2024 seal_tpm2_data 4.1.2