% tpm2_policysecret(1) tpm2-tools | General Commands Manual


tpm2_policysecret(1) - Couples the authorization of an object to that of an existing object.


tpm2_policysecret [OPTIONS] [ARGUMENT]


tpm2_policysecret(1) - Couples the authorization of an object to that of an existing object without requiring exposing the existing secret until time of object use.


  • -c, --object-context=OBJECT:

    A context object specifier of a transient/permanent/persistent object. Either a file path of a object context blob or a loaded/persistent/permanent handle id. See section "Context Object Format". As an argument, it takes the auth value of the associated TPM object, a single dash - can be used to read the auth value from stdin. The argument follows the "authorization formatting standards", see section "Authorization Formatting".

  • -S, --session=FILE:

    The policy session file generated via the -S option to tpm2_startauthsession(1).

  • -L, --policy=FILE:

    File to save the policy digest.

  • -t, --expiration=NATURAL_NUMBER:

    Set the expiration time of the policy in seconds. In absence of nonceTPM the expiration time is the policy timeout value. If expiration value is 0 then the policy does not have a time limit on the authorization.

  • --ticket=FILE:

    The ticket file to record the authorization ticket structure.

  • --timeout=FILE:

    The file path to record the timeout structure returned.

  • -x, --nonce-tpm:

    Enable the comparison of the current session's nonceTPM to ensure the validity of the policy authorization is limited to the current session.

  • -q, --qualification=FILE_OR_HEX_STR:

    Optional, the policy qualifier data that the signer can choose to include in the signature. Can be either a hex string or path.

  • --cphash=FILE

    File path to record the hash of the command parameters. This is commonly termed as cpHash. NOTE: When this option is selected, The tool will not actually execute the command, it simply returns a cpHash to be used in an audit or a policycphash.

  • ARGUMENT the command line argument specifies the AUTH to be set for the object specified with -c.


context object format details the methods for specifying OBJECT.

authorization formatting details the methods for specifying AUTH.

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.


Associate auth value of a sealing object to the owner hierarchy password. * Start a trial auth session and run tpm2_policysecret(1) to create policy that can only be satisfied if owner hierarchy auth value is supplied. * Start a real policy session and provide the owner hierarchy auth value. * Provide the session input where in the policysecret for owner hierarchy auth was satisfied to the unseal tool. * If the policy was satisfied unsealing should succeed.

Generate a policy that binds to the secret of the owner hiearchy

tpm2_startauthsession -S session.ctx

tpm2_policysecret -S session.ctx -c o -L secret.policy

tpm2_flushcontext session.ctx

Create a TPM object using the policy

tpm2_createprimary -Q -C o -g sha256 -G rsa -c prim.ctx

tpm2_create -Q -g sha256 -u sealing_key.pub -r sealing_key.priv -i- \
  -C prim.ctx -L secret.policy <<< "SEALED-SECRET"

tpm2_load -C prim.ctx -u sealing_key.pub -r sealing_key.priv \
  -c sealing_key.ctx

Satisfy the policy and unseal the secret

tpm2_startauthsession --policy-session -S session.ctx

tpm2_policysecret -S session.ctx -c o -L secret.policy

tpm2_unseal -p "session:session.ctx" -c sealing_key.ctx

tpm2_flushcontext session.ctx