keychain/help/help.txt - chromiumos/platform/tpm - Git at Google

 tpm-keychain
 Copyright (c) 2009,2010 The Chromium OS Authors. All rights reserved.

 tpm-keychain is a command-line program for managing Trusted Platform Module
 (TPM) keys.

 Using tpm-keychain, you can create an on-disk keychain and add or remove TPM
 keys to it. The keys, which are usable only in conjunction with the specific
 TPM, can be used for signing or encryption. Optionally, each key can also be
 individually password protected. The keychain can have a main password as
 well. Moreover, at creation time, each key can optionally be bound to one or
 more Platform Configuration Registers (PCRs). Such a key will be usable only
 if the PCR values on the platform match those specified at creation time.

 Each user can have a default keychain that can be managed through tpm-keychain.
 The default keychain resides in $HOME/.trousers/user.data, which is the User
 Persistent Store file for the TrouSerS software stack. tpm-keychain manages a
 sub-hierarchy of keys within this store. You can point TrouSeS, and in turn
 tpm-keychain, to a different store by setting the TSS_USER_PS_FILE environement
 variable.

 * Creating the Keychain

   --create [--srk_password SRK_PASSWORD] \
       [--keychain_password KEYCHAIN_PASSWORD]

   SRK_PASSWORD    The TPM's Storage Root Key password; tpm-keychain translates
                   the empty string (that is, "") to a password whose hash is
                   all zeros (the so called "well known secret" in the TSS
                   specification)
   KEYCHAIN_PASSWORD
                   Specify the keychain's main password (by default, a newly
                   created keychain will not use a main password)

   Note that although the keychain password or the individual key passwords may
   be changed, it is not permitted to start off with the keychain or a key
   having no password and later remove password protection altogether on the
   keychain or the key in question. At most, the password may be set to the
   empty passsword. Conversely, it is also not permitted to start off with no
   password protection on the keychain or a key and later set a password on
   the keychain or the key in question.

 * Destroying the Keychain

   --destroy [--srk_password SRK_PASSWORD] \
       [--keychain_password KEYCHAIN_PASSWORD]

   This operation will destroy the keychain along with all its constituent
   keys. If the User Persistent Store contains keys or key hierarchies other
   than those created by tpm-keychain, they will be unaffected.

 * Adding a Key to the Keychain

   --add KEY_TYPE [--pcr PCR] [--key_password KEY_PASSWORD] [--uuid UUID] \
       [--srk_password SRK_PASSWORD] [--keychain_password KEYCHAIN_PASSWORD]

   KEY_TYPE        One of "bind", "legacy", "signing", "ssh", and "storage"
   PCR             A PCR whose value will be required to use the key; multiple
                   PCRs can be specified by multiple instances of this argument
   KEY_PASSWORD    If specified, this password will be required to authorize
                   the key's use; by default, the key will not be password
                   protected
   UUID            Specific UUID to use for the key; by default, the key is
                   assigned a randomly generated UUID

 * Removing a Key from the Keychain

   --remove --uuid UUID \
       [--srk_password SRK_PASSWORD] [--keychain_password KEYCHAIN_PASSWORD]

 * Listing Keys in the Keychain

   --list [--uuid UUID] [--verbose] \
       [--srk_password SRK_PASSWORD] [--keychain_password KEYCHAIN_PASSWORD]

   By default, all keys in the keychain will be listed; if a UUID is specified,
   only that UUID, if found, will be displayed.

 * Changing the Password on a Password-Protected Key

   --new_password NEW_PASSWORD --uuid UUID [--key_password KEY_PASSWORD] \
       [--srk_password SRK_PASSWORD] [--keychain_password KEYCHAIN_PASSWORD]

   As a special case, UUID can be the literal string "keychain", in which
   case the keychain's main password will be changed.

 * Retrieving the Public Component of a Signing Key in a Form Usable by OpenSSH

   --ssh --uuid UUID \
       [--srk_password SRK_PASSWORD] [--keychain_password KEYCHAIN_PASSWORD]

   Given a signing key (or a legacy key that can be used for signing), the
   information displayed by --ssh can be used for TPM-based public key
   authentication in OpenSSH. You will additionally need the "tpm_openssh"
   loadable module that's part of tpm-keychain.

 * Retrieving Key Information as a Binary Blob

   --blob --uuid UUID \
       [--srk_password SRK_PASSWORD] [--keychain_password KEYCHAIN_PASSWORD]

 * Resetting the TPM's Anti-Dictionary-Attack Lock

   --resetlock --owner_password OWNER_PASSWORD

   OWNER_PASSWORD  The TPM owner password

 tpm-keychain also accepts the following arguments:

   --server SERVER Instead of using local TPM resources, connect to the remote
                   machine specified by SERVER; this argument overrides the
                   TSS_SERVER environment variable if the latter is set
   --v1.1          Use version 1.1 structures (default)
   --v1.2          Use version 1.2 structures
   --verbose       Be verbose (for example, when listing keys)
	tpm-keychain
	Copyright (c) 2009,2010 The Chromium OS Authors. All rights reserved.

	tpm-keychain is a command-line program for managing Trusted Platform Module
	(TPM) keys.

	Using tpm-keychain, you can create an on-disk keychain and add or remove TPM
	keys to it. The keys, which are usable only in conjunction with the specific
	TPM, can be used for signing or encryption. Optionally, each key can also be
	individually password protected. The keychain can have a main password as
	well. Moreover, at creation time, each key can optionally be bound to one or
	more Platform Configuration Registers (PCRs). Such a key will be usable only
	if the PCR values on the platform match those specified at creation time.

	Each user can have a default keychain that can be managed through tpm-keychain.
	The default keychain resides in $HOME/.trousers/user.data, which is the User
	Persistent Store file for the TrouSerS software stack. tpm-keychain manages a
	sub-hierarchy of keys within this store. You can point TrouSeS, and in turn
	tpm-keychain, to a different store by setting the TSS_USER_PS_FILE environement
	variable.

	* Creating the Keychain

	--create [--srk_password SRK_PASSWORD] \
	[--keychain_password KEYCHAIN_PASSWORD]

	SRK_PASSWORD The TPM's Storage Root Key password; tpm-keychain translates
	the empty string (that is, "") to a password whose hash is
	all zeros (the so called "well known secret" in the TSS
	specification)
	KEYCHAIN_PASSWORD
	Specify the keychain's main password (by default, a newly
	created keychain will not use a main password)

	Note that although the keychain password or the individual key passwords may
	be changed, it is not permitted to start off with the keychain or a key
	having no password and later remove password protection altogether on the
	keychain or the key in question. At most, the password may be set to the
	empty passsword. Conversely, it is also not permitted to start off with no
	password protection on the keychain or a key and later set a password on
	the keychain or the key in question.

	* Destroying the Keychain

	--destroy [--srk_password SRK_PASSWORD] \
	[--keychain_password KEYCHAIN_PASSWORD]

	This operation will destroy the keychain along with all its constituent
	keys. If the User Persistent Store contains keys or key hierarchies other
	than those created by tpm-keychain, they will be unaffected.

	* Adding a Key to the Keychain

	--add KEY_TYPE [--pcr PCR] [--key_password KEY_PASSWORD] [--uuid UUID] \
	[--srk_password SRK_PASSWORD] [--keychain_password KEYCHAIN_PASSWORD]

	KEY_TYPE One of "bind", "legacy", "signing", "ssh", and "storage"
	PCR A PCR whose value will be required to use the key; multiple
	PCRs can be specified by multiple instances of this argument
	KEY_PASSWORD If specified, this password will be required to authorize
	the key's use; by default, the key will not be password
	protected
	UUID Specific UUID to use for the key; by default, the key is
	assigned a randomly generated UUID

	* Removing a Key from the Keychain

	--remove --uuid UUID \
	[--srk_password SRK_PASSWORD] [--keychain_password KEYCHAIN_PASSWORD]

	* Listing Keys in the Keychain

	--list [--uuid UUID] [--verbose] \
	[--srk_password SRK_PASSWORD] [--keychain_password KEYCHAIN_PASSWORD]

	By default, all keys in the keychain will be listed; if a UUID is specified,
	only that UUID, if found, will be displayed.

	* Changing the Password on a Password-Protected Key

	--new_password NEW_PASSWORD --uuid UUID [--key_password KEY_PASSWORD] \
	[--srk_password SRK_PASSWORD] [--keychain_password KEYCHAIN_PASSWORD]

	As a special case, UUID can be the literal string "keychain", in which
	case the keychain's main password will be changed.

	* Retrieving the Public Component of a Signing Key in a Form Usable by OpenSSH

	--ssh --uuid UUID \
	[--srk_password SRK_PASSWORD] [--keychain_password KEYCHAIN_PASSWORD]

	Given a signing key (or a legacy key that can be used for signing), the
	information displayed by --ssh can be used for TPM-based public key
	authentication in OpenSSH. You will additionally need the "tpm_openssh"
	loadable module that's part of tpm-keychain.

	* Retrieving Key Information as a Binary Blob

	--blob --uuid UUID \
	[--srk_password SRK_PASSWORD] [--keychain_password KEYCHAIN_PASSWORD]

	* Resetting the TPM's Anti-Dictionary-Attack Lock

	--resetlock --owner_password OWNER_PASSWORD

	OWNER_PASSWORD The TPM owner password

	tpm-keychain also accepts the following arguments:

	--server SERVER Instead of using local TPM resources, connect to the remote
	machine specified by SERVER; this argument overrides the
	TSS_SERVER environment variable if the latter is set
	--v1.1 Use version 1.1 structures (default)
	--v1.2 Use version 1.2 structures
	--verbose Be verbose (for example, when listing keys)