you can even get the pem file during creation time. I am going to provide what you can do with tpm2-tools,
however, there are also tools that start with tss2 prefix that use a higher level API called FAPI. Those tools
might do what you want with far less steps then the tpm2 prefixed tools. I CC'd Andreas Fuchs so he can
advise on those tools.
head key.pem
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtFeWoma5eS7x7XjR1QWp
<snip>
# master
tpm2_createprimary -c primary.ctx --format=pem -o key.pem
For keys created with tpm2_create, you can use the readpublic option or use tpm2_print
# readpublic example
tpm2_create -C primary.ctx -u key.pub -r key.priv
tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
tpm2_readpublic --format=pem -o key.pem -c key.ctx
# print example
tpm2 print --type TPM2B_PUBLIC --format=pem key.pub
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwEDts9Y64CGuHPjT/8nC
<snip>
For the other portion of your question is "encrypting application secrets" to the TPM.
Thier's a few ways you could do this, but I would suggest using the sealing function.
It creates a TPM protected object but instead of it containing a key the tpm knows
how to use, it contains free form userdata, like the application secretes, or if those
are too large to store in the TPM, an AES key to wrap those with.
I would choose sealing first, it's the simplest. For AES wrapping I would pick
AES 256 GCM but the key type and mode is up to you.
To seal a secret, one would use tpm2_create with the -i option:
# read secret from stdin with -i -, or use -i <file> to read from a file.
tpm2_create -C primary.ctx -i- -u key.pub -r key.priv <<< 'MY SECRET'
# load
tpm2 load -C primary.ctx -u key.pub -r key.priv -c key.ctx
# unseal secret from TPM
tpm2 unseal -c key.ctx
MY SECRET
# for wrapping a secret with an AES Key, just make 'MY SECRET' an AES key and use
openssl commands. Examples can be found here:
You can set passwords and policies on TPM objects as you see fit, and we can help
you craft a policy.
The man pages for the tools should have examples, you can just view the markdown on
the github wiki as well:
There are also examples in the test directory.
Bill