[openssl-users] openssl-1.1.0b : Getting keys from TPM

Ken Goldman kgoldman at us.ibm.com
Mon Nov 28 20:13:15 UTC 2016

To read a public key, use the TPM2_ReadPublic command.  I have an open 
source utility (tpm2pem) that converts that TPM format key to PEM.

If you need the private key, you will have to "duplicate" it to a key 
you know and then use that key to decrypt it.  It's possible.  However, 
it defeats the purpose of using the TPM as a hardware key store.  It 
would be better to use the TPM to do the private key operations.

For a TSS, I offer this, which has an ever expanding set of utilities 
and sample programs.  Let me know what you need for sample code.


I also suggest debugging with a SW TPM.


The tpm2pem utility currently comes with the attestation client and server:


On 11/3/2016 12:02 PM, Zvi Vered wrote:
> Hi Ken,
> 1. I mean: read from TPM
> 2. In order to create an SSL session with the server, should I need also
> the private key ?
> 3. I want to use TPM 2.0
>     On 11/2/2016 11:06 PM, Zvi Vered wrote:
>         I want to use openssl in order to send\receive encrypted
>         messages to a
>         server.
>         My Target has TPM.
>         Can you please explain how to configure the openssl library to take
>         public+private keys from TPM ?
>         Should I use a specific TPM library ?

More information about the openssl-users mailing list