Pawit Pornkitprasan
1 min readOct 19, 2019


It’s certainly annoying that tpm2-tools like to change their command line parameters. Here’s the command for tpm2-tools 4.0

List PCRs


Add key to TPM

tpm2_createpolicy --policy-pcr -l sha1:0,7 -L policy.digest
tpm2_createprimary -C e -g sha1 -G rsa -c primary.context
tpm2_create -g sha256 -u -r obj.priv -C primary.context -L policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/secret.bin
tpm2_load -C primary.context -u -r obj.priv -c load.context
tpm2_evictcontrol -C o -c load.context 0x81000000
rm load.context obj.priv policy.digest primary.context

Check persistent object in TPM

tpm2_getcap handles-persistent
tpm2_readpublic -c 0x81000000


tpm2_unseal -c 0x81000000 -p pcr:sha1:0,7 -o /crypto_keyfile.bin

Remove key from TPM

tpm2_evictcontrol -C o -c 0x81000000