@node tpmtool Invocation @subsection Invoking tpmtool @pindex tpmtool @ignore # -*- buffer-read-only: t -*- vi: set ro: # # DO NOT EDIT THIS FILE (invoke-tpmtool.texi) # # It has been AutoGen-ed December 16, 2013 at 01:40:38 PM by AutoGen 5.18 # From the definitions ../src/tpmtool-args.def # and the template file agtexi-cmd.tpl @end ignore Program that allows handling cryptographic data from the TPM chip. This section was generated by @strong{AutoGen}, using the @code{agtexi-cmd} template and the option descriptions for the @code{tpmtool} program. This software is released under the GNU General Public License, version 3 or later. @anchor{tpmtool usage} @subsubheading tpmtool help/usage (@option{--help}) @cindex tpmtool help This is the automatically generated usage text for tpmtool. The text printed is the same whether selected with the @code{help} option (@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print the usage text by passing it through a pager program. @code{more-help} is disabled on platforms without a working @code{fork(2)} function. The @code{PAGER} environment variable is used to select the program, defaulting to @file{more}. Both will exit with a status code of 0. @exampleindent 0 @example tpmtool - GnuTLS TPM tool Usage: tpmtool [ - [] | --[@{=| @}] ]... -d, --debug=num Enable debugging. - it must be in the range: 0 to 9999 --infile=file Input file - file must pre-exist --outfile=str Output file --generate-rsa Generate an RSA private-public key pair --register Any generated key will be registered in the TPM - requires the option 'generate-rsa' --signing Any generated key will be a signing key - requires the option 'generate-rsa' -- and prohibits the option 'legacy' --legacy Any generated key will be a legacy key - requires the option 'generate-rsa' -- and prohibits the option 'signing' --user Any registered key will be a user key - requires the option 'register' -- and prohibits the option 'system' --system Any registred key will be a system key - requires the option 'register' -- and prohibits the option 'user' --pubkey=str Prints the public key of the provided key --list Lists all stored keys in the TPM --delete=str Delete the key identified by the given URL (UUID). --sec-param=str Specify the security level [low, legacy, normal, high, ultra]. --bits=num Specify the number of bits for key generate --inder Use the DER format for keys. - disabled as '--no-inder' --outder Use DER format for output keys - disabled as '--no-outder' -v, --version[=arg] output version information and exit -h, --help display extended usage information and exit -!, --more-help extended usage information passed thru pager Options are specified by doubled hyphens and their name or by a single hyphen and the flag character. Program that allows handling cryptographic data from the TPM chip. Please send bug reports to: @end example @exampleindent 4 @anchor{tpmtool debug} @subsubheading debug option (-d) This is the ``enable debugging.'' option. This option takes an argument number. Specifies the debug level. @anchor{tpmtool generate-rsa} @subsubheading generate-rsa option This is the ``generate an rsa private-public key pair'' option. Generates an RSA private-public key pair in the TPM chip. The key may be stored in filesystem and protected by a PIN, or stored (registered) in the TPM chip flash. @anchor{tpmtool user} @subsubheading user option This is the ``any registered key will be a user key'' option. @noindent This option has some usage constraints. It: @itemize @bullet @item must appear in combination with the following options: register. @item must not appear in combination with any of the following options: system. @end itemize The generated key will be stored in a user specific persistent storage. @anchor{tpmtool system} @subsubheading system option This is the ``any registred key will be a system key'' option. @noindent This option has some usage constraints. It: @itemize @bullet @item must appear in combination with the following options: register. @item must not appear in combination with any of the following options: user. @end itemize The generated key will be stored in system persistent storage. @anchor{tpmtool sec-param} @subsubheading sec-param option This is the ``specify the security level [low, legacy, normal, high, ultra].'' option. This option takes an argument string @file{Security parameter}. This is alternative to the bits option. Note however that the values allowed by the TPM chip are quantized and given values may be rounded up. @anchor{tpmtool inder} @subsubheading inder option This is the ``use the der format for keys.'' option. The input files will be assumed to be in the portable DER format of TPM. The default format is a custom format used by various TPM tools @anchor{tpmtool outder} @subsubheading outder option This is the ``use der format for output keys'' option. The output will be in the TPM portable DER format. @anchor{tpmtool exit status} @subsubheading tpmtool exit status One of the following exit values will be returned: @table @samp @item 0 (EXIT_SUCCESS) Successful program execution. @item 1 (EXIT_FAILURE) The operation failed or the command syntax was not valid. @end table @anchor{tpmtool See Also} @subsubheading tpmtool See Also p11tool (1), certtool (1) @anchor{tpmtool Examples} @subsubheading tpmtool Examples To generate a key that is to be stored in filesystem use: @example $ tpmtool --generate-rsa --bits 2048 --outfile tpmkey.pem @end example To generate a key that is to be stored in TPM's flash use: @example $ tpmtool --generate-rsa --bits 2048 --register --user @end example To get the public key of a TPM key use: @example $ tpmtool --pubkey tpmkey:uuid=58ad734b-bde6-45c7-89d8-756a55ad1891;storage=user \ --outfile pubkey.pem @end example or if the key is stored in the filesystem: @example $ tpmtool --pubkey tpmkey:file=tmpkey.pem --outfile pubkey.pem @end example To list all keys stored in TPM use: @example $ tpmtool --list @end example