% tpm2_policyauthvalue(1) tpm2-tools | General Commands Manual


tpm2_policyauthvalue(1) - Enables binding a policy to the authorization value of the authorized TPM object.


tpm2_policyauthvalue [OPTIONS]


tpm2_policyauthvalue(1) - Enables a policy that requires the object's authentication passphrase be provided. This is equivalent to authenticating using the object passphrase in plaintext or HMAC. It enforces it as a policy. It provides a mechanism to allow for password authentication when an object only allows policy based authorization, ie object attribute "userwithauth" is 0.


  • -L, --policy=FILE:

    File to save the compounded policy digest.

  • -S, --session=FILE:

    The policy session file generated via the -S option to tpm2_startauthsession(1).


common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.


We want to authenticate using the TPM objects plaintext authentication value. While we could authenticate with an ephemeral password session, in this example we will authenticate with the plaintext passphrase in a policy session instead using the tpm2_policyauthvalue(1) tool.

Create the password policy

tpm2_startauthsession -S session.dat

tpm2_policyauthvalue -S session.dat -L policy.dat

tpm2_flushcontext session.dat

Create the object with a passphrase and the password policy

tpm2_createprimary -C o -c prim.ctx

tpm2_create -g sha256 -G aes -u key.pub -r key.priv -C prim.ctx -L policy.dat \
  -p testpswd

Authenticate with plaintext passphrase input

tpm2_load -C prim.ctx -u key.pub -r key.priv -n key.name -c key.ctx

echo "plaintext" > plain.txt
tpm2_encryptdecrypt -c key.ctx -o encrypt.out plain.txt -p testpswd

Authenticate with password and the policy

tpm2_startauthsession --policy-session -S session.dat

tpm2_policyauthvalue -S session.dat

tpm2_encryptdecrypt -c key.ctx -o encrypt.out -p session:session.dat+testpswd \

tpm2_flushcontext session.dat