-----Original Message----- From: Auriga7 <Auriga7(a)protonmail.com&gt; Sent: Wednesday, December 23, 2020 10:06 AM To: tpm2(a)lists.01.org Subject: [tpm2] Re: Ensure the link between an unrestricted signing key and a TPM I think I've figured out how to do it. Here an example : tpm2_createek -c ek.handle -G rsa -u ek.pub tpm2_startauthsession --policy-session -S session.ctx tpm2_policysecret -S session.ctx -c e tpm2_create -C ek.handle -c ak.ctx -u ak.pub -r ak.priv -P session:session.ctx tpm2_readpublic -c ak.ctx -o ak.pem -n ak.name -f pem tpm2_flushcontext session.ctx file_size=`stat --printf="%s" ak.name` loaded_key_name=`cat ak.name | xxd -p -c $file_size` echo "secret" > secret.data tpm2_makecredential -e ek.pub -s secret.data -n $loaded_key_name -o cred.out tpm2_startauthsession --policy-session -S session.ctx tpm2_policysecret -S session.ctx -c e tpm2_activatecredential -c ak.ctx -C ek.handle -i cred.out -o decrypt_secret.data -P "session:session.ctx" tpm2_flushcontext session.ctx ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ Le mardi 22 décembre 2020 15:37, Auriga7 <Auriga7(a)protonmail.com <mailto:Auriga7@protonmail.com> > a écrit : Hi, I would like to know how i can certiffy that a non restricted signing key belongs to a real TPM in the same way that an AIK key can guarantee it is from a TPM using EK and the EK certificate of the TPM. I've tried using the makecredential and activatecredential commands of tpm2-tools on a non restricted signing key created with the create command. However those commands seems to only work for an AIK key created using createak command. How can I create a non restricted signing key and then ensure that this key is linked to real TPM using the tpm2-tools. Thank you.