% tpm2_createak(1) tpm2-tools | General Commands Manual


tpm2_createak(1) - Generate attestation key with given algorithm under the endorsement hierarchy.


tpm2_createak [OPTIONS]


tpm2_createak(1) - Generate an attestation key (AK) with the given algorithm under the endorsement hierarchy. The context of the attestation key is specified via -c.

The tool outputs to stdout a YAML representation of the loaded key's name, for example:

  name: 000bac149518baa05540a0678bd9b624f8a98d042e46c60f4d098ba394d36fc49268


  • -P, --eh-auth=AUTH:

    The authorization value for the endorsement hierarchy.

  • -p, --ak-auth=AUTH

    The authorization value for the attestation key object created.

  • -C, --ek-context=OBJECT:

    The endorsement key object.

  • -c, --ak-context=FILE:

    The file path to save the object context of the attestation key.

  • -G, --key-algorithm=ALGORITHM:

    Specifies the attestation key algorithm. Supports: * ecc - A NIST_P256 key by default. Alternative curves can be selected using algorithm specifiers (e.g. ecc384 or ecc_nist_p384) . * rsa - An RSA2048 key. * keyedhash - hmac key.

  • -g, --hash-algorithm=ALGORITHM:

    Specifies the digest algorithm used for signing.

  • -s, --signing-algorithm=ALGORITHM:

    The signing algorithm.

  • -u, --public=FILE:

    The file to save the public portion of the attestation key.

  • -n, --ak-name=FILE:

    The file to save the attestation key name, optional.

  • -r, --private=FILE:

    The output file which contains the sensitive portion of the object, optional. protection details

pubkey options

Format selection for the signature output file.
  • -q, --ak-qualified-name=FILE:

    The qualified name of the attestation key object. The qualified name is the qualified name of the parent object (the EK in this instance) and the name of the object itself. Thus, the qualified name of an object serves to bind it to its parents.


context object format details the methods for specifying OBJECT.

authorization formatting details the methods for specifying AUTH.

algorithm specifiers details the options for specifying cryptographic algorithms ALGORITHM.

signature format specifiers option used to configure signature FORMAT.

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.


Create an Attestation Key and make it persistent

tpm2_createek -c ek.handle -G rsa -u ek.pub
tpm2_createak -C ek.handle -c ak.ctx -u ak.pub -n ak.name
tpm2_evictcontrol -C o -c ak.ctx 0x81010002