I'm working with TPM 2.0 and have successfully imported an RSA key into the TPM using the tpm2_import command. I've followed the process to create a primary key, generate an RSA key using OpenSSL, import it into TPM, load it, and then make it persistent using the tpm2_evictcontrol command. Here's a brief overview of the steps I took:
Generated an RSA key using OpenSSL: openssl genpkey -algorithm RSA -out private_key.pem
Created a primary key in the TPM: sudo tpm2_createprimary -C e -g sha256 -G rsa -c primary.ctx
Imported the OpenSSL-generated RSA key into TPM: sudo tpm2_import -C primary.ctx -G rsa -i private_key.pem -u pub.blob -r priv.blob
Loaded the imported key into TPM and made it persistent: sudo tpm2_load -C primary.ctx -u pub.blob -r priv.blob -c loaded_key.ctx sudo tpm2_evictcontrol -C o -c loaded_key.ctx 0x81000002
Checked the public portion of the persistent key: sudo tpm2_readpublic -c 0x81000002
Output: name: 000b28ab86c4a706c2f3870e90147a2b282f853bebfc4e0977714e95932d5b62995d qualified name: 000bb96e10e635cb9b26fae628dc6fcb451d8cc5c20e736b5cf1390ba7aef934d834 name-alg: value: sha256 raw: 0xb attributes: value: userwithauth|decrypt|sign raw: 0x60040 type: value: rsa raw: 0x1 exponent: 65537 bits: 2048 scheme: value: null raw: 0x10 scheme-halg: value: (null) raw: 0x0 sym-alg: value: null raw: 0x10 sym-mode: value: (null) raw: 0x0 sym-keybits: 0 rsa: 9e40a88938931a734a7790a1ad1fb77854298f26b6d047d8ed04833d965edbd08cd07b935f3c90ee586ff6f317f1993870e4ab39b82bfc87efebc8eb0ed0b8c94f18d0bc88de9866f2ea8bc0732eafdb2b1cf0f41b3f811dcfb5a9f3c4f2f881a28d61fb44e51315dc81e607ddb7383aa8ba9f23c252bf59d1f6ea1c77b87b75bd862c266c7655e63cd38472ec2d56ba4cf849e3a96451a7c9f2373b839e7cce5c2b11045be4999f571ff8b9cb283a8f1dbdad5fec231603e3a6bfe3af898fab2c42b1b54bab2e865bc7617b800917db015fe823818b478d6f915190a9891633dd11f8513d6ec68553104a5bd5d7128bf8b2da587f98a05a996f18ee32409dd5
The persistent key has attributes userwithauth|decrypt|sign, which I believe means it can still be exported out of TPM.
My question is: Is there a way to import a key into TPM such that it becomes non-exportable? I want to ensure that once a key is loaded into TPM, it cannot be extracted or exported out. I'm relatively new to TPM 2.0, so any guidance or clarification on achieving this would be greatly appreciated.
I tried specifying -a "fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt" during the import, expecting these attributes to enforce non-exportability, but this didn't work as anticipated. Am I going in the wrong direction with this? Any advice or guidance on how to correctly accomplish this would be highly appreciated. I'm seeking to understand the correct method or set of commands to ensure the key, once loaded into the TPM, cannot be extracted.