% tpm2_createprimary(1) tpm2-tools | General Commands Manual


tpm2_createprimary(1) - Create a primary key.


tpm2_createprimary [OPTIONS]


tpm2_createprimary(1) - This command is used to create a primary object under one of the hierarchies: Owner, Platform, Endorsement, NULL. The command will create and load a Primary Object. The sensitive and public portions are not returned. A context file for the created object's handle is saved as a file for future interactions with the created primary.


  • -C, --hierarchy=OBJECT:

    The hierarchy under which the object is created. This will also dictate which authorization secret (if any) must be supplied. Defaults to TPM_RH_OWNER, when no value specified. Supported options are: * o for TPM_RH_OWNER * p for TPM_RH_PLATFORM * e for TPM_RH_ENDORSEMENT * n for TPM_RH_NULL * <num> where a raw number can be used.

  • -P, --hierarchy-auth=AUTH:

    The authorization value for the hierarchy specified with -C.

  • -p, --key-auth=AUTH:

    The authorization value for the primary object created.

  • -g, --hash-algorithm=ALGORITHM:

    The hash algorithm to use for generating the objects name. Defaults to sha256 if not specified.

  • -G, --key-algorithm=ALGORITHM:

    The algorithm type for the generated primary key. Defaults to rsa2048:null:aes128cfb.

  • -c, --key-context=FILE:

    The file path to save the object context of the generated primary object.

  • -L, --policy=FILE:

    An optional file input that contains the policy digest for policy based authorization of the object.

  • -a, --attributes=ATTRIBUTES:


  • -u, --unique-data=FILE OR STDIN:

    An optional file input that contains the unique field of TPMT_PUBLIC in little-endian format. Primary key creator may place information that causes the primary key generation scheme internal to the TPM to generate statistically unique values. The TPM v2.0 specification calls this field unique and overloads it so that it contains one value when the application provides this structure as input and another value when the applications receives this structure as output (like public portion of the rsa key).

    If the data is specified as a file, the user is responsible for ensuring that this buffer is formatted per TPMU_PUBLIC_ID union.

    The unique data can also be retrieved from stdin buffer by specifying "-" as the --unique-data option value and the tool will parse the key type and associate the input data with the unique data buffer associated with the key type.

    NOTE: 1. The maximum allowed bytes is dependent on key type and the TPM implementation. Eg. While TSS allows a value upto 512 for MAX_RSA_KEY_BYTES, however the ibmSwTPM implementation supports a value upto 256 bytes. 2. The unique input data specified on stdin for ECC is split for specifying the X coordinate and Y coordinate buffers.

  • --creation-data=FILE:

    An optional file output that saves the creation data for certification.

  • --template-data=FILE:

    An optional file output that saves the key template data (TPM2B_PUBLIC) to be used in tpm2_policytemplate.

  • -t, --creation-ticket=FILE:

    An optional file output that saves the creation ticket for certification.

  • -d, --creation-hash=FILE:

    An optional file output that saves the creation hash for certification.

  • -q, --outside-info=FILE_OR_HEX:

    An optional file or hex string to add unique data to the creation data. Note that it does not contribute in creating statistically unique object.

  • -l, --pcr-list=PCR:

    The list of PCR banks and selected PCRs' ids for each bank to be included in the creation data for certification.

  • --cphash=FILE

    File path to record the hash of the command parameters. This is commonly termed as cpHash. NOTE: When this option is selected, The tool will not actually execute the command, it simply returns a cpHash.

pubkey options

Public key format.
  • -o, --output=FILE:

    The output file path, recording the public portion of the object.


context object format details the methods for specifying OBJECT.

authorization formatting details the methods for specifying AUTH.

algorithm specifiers details the options for specifying cryptographic algorithms ALGORITHM.

object attribute specifiers details the options for specifying the object attributes ATTRIBUTES.

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.


Create an ECC primary object

tpm2_createprimary -C o -g sha256 -G ecc -c context.out

Create a primary object that follows the guidance of TCG Provisioning guide

See : https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf

Where unique.dat contains the binary-formatted data: 0x00 0x01 (0x00 * 256)

tpm2_createprimary -C o -G rsa2048:aes128cfb -g sha256 -c prim.ctx \
-a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|\
noda' -u unique.dat

## Create a primary object and output the public key in pem format
tpm2_createprimary -c primary.ctx --format=pem --output=public.pem