Example 1: Simple Key Management
An end user is handling all of their own keys. The user has two systems: a primary system and a backup system for backing up keys. Here are the steps the user follows to manage the keys:
1. Create an SRK on each system using a standard nonduplicable key template. Set userWithAuth to TRUE, adminWithPolicy to FALSE, and the policy to a NULL policy. This means the policy is disabled and the password can be used to authorize use of the SRK. The user sets the password to a well-known password when using the TPM2_CreatePrimary command to create the SRKs.
2. Create a duplicable storage key (DSK) under the SRK on the primary system. Use TPM2_Create to create this key.
It has userWithAuth set to TRUE and adminWithPolicy set to TRUE. This allows the password to authorize using the key and the policy for duplicating the key. (Remember that keys can only be duplicated using a policy.) It has a policy that specifically has a branch with TPM2_PolicyCommandCode with TPM2_Duplicate selected, together with TPM2_PolicyAuthValue. This policy requires the user to prove knowledge of the key's password in order to duplicate it.
3. Load the public key of the new SRK to which the key is to be duplicated.
4. Duplicate this storage key to the backup system by
creating a policy session, executing TPM2_PolicyCommandCode with TPM2_PolicyDuplicate, and then executing TPM2_PolicyAuthValue. Then an HMAC session is started (using the DSK password). The two sessions are referenced when executing the TPM2_Duplicate command, passing it the handle of the DSK and the public key of the SRK of the backup system. This produces a blob that contains the duplicated key and is encrypted in a way that can be imported into the TPM, which knows the SRK private portion.
5. Move the blob to the backup system, and use TPM2_Import to import the key into the backup system. This produces another blob, which can be loaded into the backup system on demand.
6. As new keys are created under the DSK on the primary system, send copies of those key blobs to the backup system, where they can also be loaded using the copy of the DSK, and used.
7. To decommission the primary system, use TPM2_Clear, using the lockout password to clear the TPM's storage hierarchy.
8. To migrate all keys to a new system, create an SRK on the new primary system.
9. Repeat the process of duplication from step 4. This time, the new parent is the SRK of the new primary system.
10. Copy all other keys blobs onto the new primary system.