In the book, "A Practical Guide to TPM 2.0", there's a process describing key distribution which is as the following:

  1. The central IT system creates an HMAC key using TPM2_GetRandom.
  2. The central IT system encrypts the HMAC key with the public portion of the target clientĄ¯s storage key.
  3. The central IT system signs the encrypted HMAC key with its private signing key. This is done so the local platform knows that what is being sent is authorized by IT.
  4. The encrypted HMAC key is sent to the client along with a signature that proves it came from the central IT system.
  5. The client verifies the signature on the encrypted key by loading the central serverĄ¯s public key. (This can be done with the TPM using TPM2_Load and then using TPM2_VerifySignature, if you like.)
  6. The client imports the verified, encrypted HMAC key into its system using TPM2_Import, getting out a loadable, encrypted blob containing the HMAC key.
  7. The client loads the HMAC key when the user wishes to use it, using TPM2_Load, and uses it as normal. At this point, the local platform has received an HMAC key from the IT central
  8. system that has never been decrypted in the local systemĄ¯s memory.

I wonder how to encrypts the HMAC key and how to import it using TPM2_Import? How to import a symmetric key encrypted by a rsa public key? Appreciate for any replies, thanks!