% tpm2_rsaencrypt(1) tpm2-tools | General Commands Manual

# NAME

**tpm2_rsaencrypt**(1) - Performs an RSA encryption operation using the TPM.

# SYNOPSIS

**tpm2_rsaencrypt** [*OPTIONS*] [*ARGUMENT*]

# DESCRIPTION

**tpm2_rsaencrypt**(1) - Performs RSA encryption on the contents of file data
using the indicated padding scheme according to IETF RFC 3447 (PKCS#1).
Input defaults to *STDIN* if not specified.

The key referenced by key-context is **required** to be:

1. An RSA key
2. Have the attribute *encrypt* **SET** in it's attributes.

# OPTIONS

  * **-c**, **\--key-context**=_OBJECT_:

    Context object pointing to the the public portion of RSA key to use for
    encryption.

  * **-o**, **\--output**=_FILE_:

    Optional output file path to record the encrypted data to. The default is to print
    the binary encrypted data to stdout.

  * **-s**, **\--scheme**=_FORMAT_:

    Optional, set the padding scheme (defaults to rsaes).

    * null  - TPM_ALG_NULL uses the key's scheme if set.
    * rsaes - TPM_ALG_RSAES which is RSAES_PKCSV1.5.
    * oaep  - TPM_ALG_OAEP which is RSAES_OAEP.

  * **-l**, **\--label**=_FILE_ or _STRING_:

    Optional, set the label data. Can either be a string or file path. The TPM
    requires the last byte of the label to be zero, this is handled internally
    to the tool. No other embedded 0 bytes can exist or the TPM will truncate
    your label.

  * **ARGUMENT** the command line argument specifies the path of the file with
    data to be encrypted.

## References

[context object format](common/ctxobj.md) details the methods for specifying
_OBJECT_.

[authorization formatting](common/authorizations.md) details the methods for
specifying _AUTH_.

[common options](common/options.md) collection of common options that provide
information many users may expect.

[common tcti options](common/tcti.md) collection of options used to configure
the various known TCTI modules.


# EXAMPLES

## Create an RSA key and load it
```bash
tpm2_createprimary -c primary.ctx
tpm2_create -C primary.ctx -Grsa2048 -u key.pub -r key.priv
tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
```

## Encrypt using RSA
```bash
echo "my message" > msg.dat
tpm2_rsaencrypt -c key.ctx -o msg.enc msg.dat
```

## Decrypt using RSA
```bash
tpm2_rsadecrypt -c key.ctx -o msg.ptext msg.enc
cat msg.ptext
my message
```

[returns](common/returns.md)

[footer](common/footer.md)