% tpm2_rsaencrypt(1) tpm2-tools | General Commands Manual


tpm2_rsaencrypt(1) - Performs an RSA encryption operation using the TPM.


tpm2_rsaencrypt [OPTIONS] [ARGUMENT]


tpm2_rsaencrypt(1) - Performs RSA encryption on the contents of file data using the indicated padding scheme according to IETF RFC 3447 (PKCS#1). Input defaults to STDIN if not specified.

The key referenced by key-context is required to be:

  1. An RSA key
  2. Have the attribute encrypt SET in it's attributes.


  • -c, --key-context=OBJECT:

    Context object pointing to the the public portion of RSA key to use for encryption.

  • -o, --output=FILE:

    Optional output file path to record the encrypted data to. The default is to print the binary encrypted data to stdout.

  • -s, --scheme=FORMAT:

    Optional, set the padding scheme (defaults to rsaes).

    • null - TPM_ALG_NULL uses the key's scheme if set.
    • rsaes - TPM_ALG_RSAES which is RSAES_PKCSV1.5.
    • oaep - TPM_ALG_OAEP which is RSAES_OAEP.
  • -l, --label=FILE or STRING:

    Optional, set the label data. Can either be a string or file path. The TPM requires the last byte of the label to be zero, this is handled internally to the tool. No other embedded 0 bytes can exist or the TPM will truncate your label.

  • ARGUMENT the command line argument specifies the path of the file with data to be encrypted.


context object format details the methods for specifying OBJECT.

authorization formatting details the methods for specifying AUTH.

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.


Create an RSA key and load it

tpm2_createprimary -c primary.ctx
tpm2_create -C primary.ctx -Grsa2048 -u key.pub -r key.priv
tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx

Encrypt using RSA

echo "my message" > msg.dat
tpm2_rsaencrypt -c key.ctx -o msg.enc msg.dat

Decrypt using RSA

tpm2_rsadecrypt -c key.ctx -o msg.ptext msg.enc
cat msg.ptext
my message