I simply want to store one 32 bytes long symmetric key persistently in the NV storage of the TPM and after a power-cycle, use it (without getting it out of the TPM) to encrypt small-sized data.
I've tried to do that in two different ways:
1)
- Create the key with TPM's random bytes generator
- Define space in NV and write the key in it
- Problem: I know how to read it, but how can I load it so I can use it inside the TPM?
2)
- Create an AES key with TPM2_Create command
- Make it persistent with TPM2_EvictControl command
- Through the same power cycle, I have its handle and I can load it and use it
- Problem: Similar to before, How to load it and use it after the next power cycle?
I scanned TCG's Specs and I even read this free practical guide to TPM2.0 and haven't found any clues to my problems.
What am I missing?
TPM2_EncryptDecryptis meant to be used with symmetric keys. Pass the key handle you obtained with theTPM2_EvictControlas the@keyHandleparameter, and set thedecryptparameter appropriately. SetmodetoTPM_ALG_NULso the default mode is used.Keep in mind that it's not practical to use the TPM for encrypting large amounts of data (what symmetric keys are typically used for).