% tpm2_activatecredential(1) tpm2-tools | General Commands Manual


tpm2_activatecredential(1) - Enables access to the credential qualifier to recover the credential secret.


tpm2_activatecredential [OPTIONS]


tpm2_activatecredential(1) - Enables the association of a credential with an object in a way that ensures that the TPM has validated the parameters of the credentialed object. In an attestation scheme , this guarantees the registrar that the attestation key belongs to the TPM with a qualified parent key in the TPM.


  • -c, --credentialedkey-context=OBJECT:

    Object associated with the created certificate by CA.

  • -C, --credentialkey-context=OBJECT:

    The loaded object used to decrypt the random seed.

  • -p, --credentialedkey-auth=AUTH:

    The auth value of the credentialed object specified with -c.

  • -P, --credentialkey-auth=AUTH:

    The auth value of the credential object specified with -C.

  • -i, --credential-blob=FILE:

    The input file path containing the credential blob and secret created with the tpm2_makecredential(1) tool.

  • -o, --certinfo-data=FILE:

    The output file path to save the decrypted credential secret information.

  • --cphash=FILE

    File path to record the hash of the command parameters. This is commonly termed as cpHash. NOTE: When this option is selected, The tool will not actually execute the command, it simply returns a cpHash, unless rphash is also required.

  • --rphash=FILE

    File path to record the hash of the response parameters. This is commonly termed as rpHash.

  • -S, --session=FILE:

    The session created using tpm2_startauthsession. This can be used to specify an auxiliary session for auditing and or encryption/decryption of the parameters.


context object format details the methods for specifying OBJECT.

authorization formatting details the methods for specifying AUTH.

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.


echo "12345678" > secret.data

tpm2_createek -Q -c 0x81010001 -G rsa -u ek.pub

tpm2_createak -C 0x81010001 -c ak.ctx -G rsa -g sha256 -s rsassa -u ak.pub \
-n ak.name -p akpass> ak.out

file_size=`stat --printf="%s" ak.name`
loaded_key_name=`cat ak.name | xxd -p -c $file_size`

tpm2_makecredential -Q -e ek.pub  -s secret.data -n $loaded_key_name \
-o mkcred.out

tpm2_startauthsession --policy-session -S session.ctx

tpm2_policysecret -S session.ctx -c e

tpm2_activatecredential -Q -c ak.ctx -C 0x81010001 -i mkcred.out \
-o actcred.out -p akpass -P"session:session.ctx"

tpm2_flushcontext session.ctx