Install Now
stpm-keygen - Generate key pair for use with simple-tpm-pk11
Contents
Description
stpm-keygen generates a 2048 RSA key inside the TPM chip, and saves the public key and the SRK-encrypted
private key (the "blob") in the outputfile.
Diagnostics
Most errors will probably be related to interacting with the TPM chip. Resetting the TPM chip and taking
ownership should take care of most of them. See the TPM-TROUBLESHOOTING section of simple-tpm-pk11(7).
Examples
stpm-keygen -o ~/.simple-tpm-pk11/my.key
stpm-keygen -p -o ~/.simple-tpm-pk11/my.key
Enter key PIN: my secret password here
stpm-keygen -sp -o ~/.simple-tpm-pk11/my.key
Enter SRK PIN: 12345678
Enter key PIN: my secret password here
Name
stpm-keygen - Generate key pair for use with simple-tpm-pk11
Options
-h Show usage info.
-o outputfile
Output file, where the public key and key blob will be written.
-p Create the key with a PIN / password. The password will be prompted for inteactively.
-s Ask for the SRK password interactively. By default the "Well Known Secret" (20 nulls) is used. The
SRK password is an access token that must be presented for the TPM to perform any operation that
involves the TPM, and an actual secret password is usually not required or useful.
-S Generate key in software instead of hardware. The choice between generating the key in software
and hardware is not an obvious one. Itβs hard to verify the quality of keys generated in hardware
(e.g. bugs or backdoors), but software keys have existed in RAM at some point. And because
software generated keys have to be generated as migratable keys, they can be extracted by someone
who knows the TPM owner password. The recommended choice is to generate in hardware, which is also
the default.
See Also
simple-tpm-pk11(7), stpm-sign(1). http://blog.habets.se/2013/11/Should-I-generate-my-keys-in-software-or-hardware
Synopsis
stpm-keygen [ -hps ] -o outputfile
PNG Icons
