% tpm2_encryptdecrypt(1) tpm2-tools | General Commands Manual


tpm2_encryptdecrypt(1) - Performs symmetric encryption or decryption.


tpm2_encryptdecrypt [OPTIONS] [ARGUMENT]


tpm2_encryptdecrypt(1) - Performs symmetric encryption or decryption with a specified symmetric key on the contents of FILE. If FILE is not specified, defaults to stdin.


  • -c, --key-context=OBJECT:

    The encryption key object.

  • -p, --auth=AUTH:

    The authorization value for the encryption key object.

  • -d, --decrypt:

    Perform a decrypt operation. Defaults to encryption when this option is not specified.

  • -e, --pad:

    Enable pkcs7 padding for applicable AES encryption modes cfb/cbc/ecb. Applicable only to encryption and for input data with last block shorter than encryption block length.

  • -o, --output=FILE or STDOUT:

    The output file path for either the encrypted or decrypted data. If not specified, defaults to stdout.

  • -G, --mode=ALGORITHM:

    The key algorithm associated with this object. Defaults to object properties or CFB if not defined.

  • -t, --iv=FILE:

    Optional initialization vector to use. Defaults to 0's. Syntax allows for an input file and output file source to be specified. The input file path is first, optionally followed by a colon ":" and the output iv path. This output iv can be saved for subsequent calls when chaining.

  • --cphash=FILE

    File path to record the hash of the command parameters. This is commonly termed as cpHash. NOTE: When this option is selected, The tool will not actually execute the command, it simply returns a cpHash.

  • ARGUMENT the command line argument specifies the input file path FILE of the data to encrypt or decrypt.


context object format details the methods for specifying OBJECT.

authorization formatting details the methods for specifying AUTH.

algorithm specifiers details the options for specifying cryptographic algorithms ALGORITHM.

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.


Create an AES key

tpm2_createprimary -c primary.ctx
tpm2_create -C primary.ctx -Gaes128 -u key.pub -r key.priv
tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx

Encrypt and Decrypt some data

echo "my secret" > secret.dat
tpm2_encryptdecrypt -c key.ctx -o secret.enc secret.dat
tpm2_encryptdecrypt -d -c key.ctx -o secret.dec secret.enc
cat secret.dec
my secret