% tpm2_hmac(1) tpm2-tools | General Commands Manual


tpm2_hmac(1) - Performs an HMAC operation with the TPM.


tpm2_hmac [OPTIONS] [ARGUMENT]


tpm2_hmac(1) - Performs an HMAC operation and returns the results. If argument file is not specified, then data is read from stdin.

The hashing algorithm defaults to the keys scheme or sha256 if the key has a NULL scheme.

Output defaults to STDOUT and binary format unless otherwise specified via -o and --hex options respectively.


  • -c, --key-context=OBJECT:

    The context object of the symmetric signing key providing the HMAC key. Either a file or a handle number. See section "Context Object Format".

  • -p, --auth=AUTH:

    Optional authorization value to use the key specified by -c.

  • -g, --hash-algorithm=ALGORITHM:

    The hash algorithm to use. Algorithms should follow the "formatting standards", see section "Algorithm Specifiers". Also, see section "Supported Hash Algorithms" for a list of supported hash algorithms.

  • --hex

    Convert the output hmac to hex format without a leading "0x".

  • -o, --output=FILE:

    Optional file record of the HMAC result. Defaults to STDOUT.

  • -t, --ticket=FILE:

    Optional file record of the ticket result.

  • --cphash=FILE

    File path to record the hash of the command parameters. This is commonly termed as cpHash. NOTE: When this option is selected, The tool will not actually execute the command, it simply returns a cpHash.

  • ARGUMENT the command line argument specifies the file path for the data to HMAC. Defaults to STDIN if not specified.


context object format details the methods for specifying OBJECT.

authorization formatting details the methods for specifying AUTH.

authorization formatting details the methods for specifying ALGORITHM.

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.



# create a primary object
tpm2_createprimary -c primary.ctx

# create an hmac key
tpm2_create -C primary.ctx -G hmac -c hmac.key

Perform an HMAC with Default Hash Algorithm

Perform an hmac using the key's default scheme (hash algorithm) and output to stdout in hexidecimal format.

tpm2_hmac -c hmac.key --hex data.in