Authorization Formatting

Authorization for use of an object in TPM2.0 can come in 3 different forms: 1. Password 2. HMAC 3. Sessions

NOTE: "Authorizations default to the EMPTY PASSWORD when not specified".


Passwords are interpreted in the following forms below using prefix identifiers.

Note: By default passwords are assumed to be in the string form when they do not have a prefix.


A string password, specified by prefix "str:" or it's absence (raw string without prefix) is not interpreted, and is directly used for authorization.




A hex-string password, specified by prefix "hex:" is converted from a hexidecimal form into a byte array form, thus allowing passwords with non-printable and/or terminal un-friendly characters.




A file based password, specified be prefix "file:" should be the path of a file containing the password to be read by the tool or a "-" to use stdin. Storing passwords in files prevents information leakage, passwords passed as options can be read from the process list or common shell history features.


# to use stdin and be prompted

# to use a file from a path

# to echo a password via stdin:
echo foobar | tpm2_tool -p file:-

# to use a bash here-string via stdin:

tpm2_tool -p file:- <<< foobar


When using a policy session to authorize the use of an object, prefix the option argument with the session keyword. Then indicate a path to a session file that was created with tpm2_startauthsession(1). Optionally, if the session requires an auth value to be sent with the session handle (eg policy password), then append a + and a string as described in the Passwords section.


To use a session context file called session.ctx.


To use a session context file called session.ctx AND send the authvalue mypassword.


To use a session context file called session.ctx AND send the HEX authvalue 0x11223344.


PCR Authorizations

You can satisfy a PCR policy using the "pcr:" prefix and the PCR minilanguage. The PCR minilanguage is as follows: <pcr-spec>=<raw-pcr-file>

The PCR spec is documented in in the section "PCR bank specifiers".

The raw-pcr-file is an optional argument that contains the output of the raw PCR contents as returned by tpm2_pcrread(1).

PCR bank specifiers


To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifier of: