{"id":18320321,"url":"https://github.com/tpm2-software/tpm2-openssl","last_synced_at":"2026-03-05T15:32:37.066Z","repository":{"id":37931199,"uuid":"341633769","full_name":"tpm2-software/tpm2-openssl","owner":"tpm2-software","description":"OpenSSL Provider for TPM2 integration","archived":false,"fork":false,"pushed_at":"2025-01-25T20:38:14.000Z","size":369,"stargazers_count":95,"open_issues_count":40,"forks_count":37,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-03-29T06:07:16.540Z","etag":null,"topics":["openssl-provider","tpm","tpm2"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tpm2-software.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"docs/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-02-23T17:25:47.000Z","updated_at":"2025-03-19T03:16:22.000Z","dependencies_parsed_at":"2025-01-13T10:08:06.757Z","dependency_job_id":"414e71b3-2f34-4bc2-9165-72e82bd4ee0d","html_url":"https://github.com/tpm2-software/tpm2-openssl","commit_stats":null,"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tpm2-software%2Ftpm2-openssl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tpm2-software%2Ftpm2-openssl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tpm2-software%2Ftpm2-openssl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tpm2-software%2Ftpm2-openssl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tpm2-software","download_url":"https://codeload.github.com/tpm2-software/tpm2-openssl/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247299831,"owners_count":20916190,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["openssl-provider","tpm","tpm2"],"created_at":"2024-11-05T18:15:54.731Z","updated_at":"2026-03-05T15:32:37.019Z","avatar_url":"https://github.com/tpm2-software.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build Status](https://github.com/tpm2-software/tpm2-openssl/workflows/gcc-distcheck/badge.svg)](https://github.com/tpm2-software/tpm2-openssl/actions)\n[![FreeBSD Build Status](https://api.cirrus-ci.com/github/tpm2-software/tpm2-openssl.svg?branch=master)](https://cirrus-ci.com/github/tpm2-software/tpm2-openssl)\n[![codecov](https://codecov.io/gh/tpm2-software/tpm2-openssl/branch/master/graph/badge.svg)](https://codecov.io/gh/tpm2-software/tpm2-openssl)\n[![Coverity Scan](https://scan.coverity.com/projects/22739/badge.svg)](https://scan.coverity.com/projects/tpm2-openssl)\n[![CodeQL](https://github.com/tpm2-software/tpm2-openssl/workflows/CodeQL/badge.svg)](https://github.com/tpm2-software/tpm2-openssl/actions/workflows/codeql.yml)\n\n# Provider for integration of TPM 2.0 to OpenSSL 3.x\n\nMakes the TPM 2.0 accessible via the standard OpenSSL API and command-line tools,\nso one can add TPM support to (almost) any OpenSSL 3.x based application.\n\nThe tpm2-openssl project\n\n* Implements a\n  [provider](https://www.openssl.org/docs/manmaster/man7/provider.html)\n  that integrates the\n  [Trusted Platform Module (TPM 2.0)](https://trustedcomputinggroup.org/work-groups/trusted-platform-module/)\n  operations to the [OpenSSL 3.x](https://www.openssl.org/docs/OpenSSL300Design.html),\n  which is the next version of OpenSSL after 1.1.1.\n\n* Follows the new OpenSSL provider API and strictly avoids any legacy API.\n  Therefore this implementation:\n  - Is compatible with OpenSSL 3.x and (hopefully) future OpenSSL versions.\n  - Does **not** work with any previous version, including the current OpenSSL 1.1.\n\n* Is based on a major refactoring of the\n  [tpm2-tss-engine](https://github.com/tpm2-software/tpm2-tss-engine).\n  The code is still there, but largely reshuffled to match the new OpenSSL API.\n  Therefore this implementation:\n  - Retains (almost) all functions of the tpm2-tss-engine, although the\n    command-line interface and the API has changed.\n  - Does not modify format of the `TSS2 PRIVATE KEY` file, so keys created by\n    the previous version still work.\n  - Respects the original license and copyright.\n\n* Relies on the\n  [Enhanced System API (ESAPI)](https://trustedcomputinggroup.org/wp-content/uploads/TSS_ESAPI_v1p0_r08_pub.pdf)\n  from the Trusted Computing Groups (TCG)\n  [TPM Software Stack (TSS 2.0)](https://trustedcomputinggroup.org/work-groups/software-stack/)\n  and uses the\n  [tpm2-tss](https://github.com/tpm2-software/tpm2-tss) software stack\n  implementation, version 3.2.0 or later.\n\n\n## Build and Installation Instructions\n\n[Several distributions](https://repology.org/project/tpm2-openssl/versions)\ninclude a `tpm2-openssl` package. For example, on Debian 12 or Ubuntu 22.04\njust run:\n```bash\napt install tpm2-openssl tpm2-tools tpm2-abrmd libtss2-tcti-tabrmd0\n```\n\nThe in-kernel resource manager is **not** sufficient for complex scenarios such\nas SSL or X.509 operations. The [tpm2-abrmd](https://github.com/tpm2-software/tpm2-abrmd)\nmust be used instead.\n\nInstructions for building and installing the tpm2 provider on other systems are\nprovided in the [INSTALL.md](docs/INSTALL.md) file.\n\nInstructions for how releases are conducted, please see the\n[RELEASE.md](docs/RELEASE.md) file.\n\n## Features and Documentation\n\nThe tpm2 provider functions can be used via the\n[`openssl`](https://www.openssl.org/docs/manmaster/man1/openssl.html)\ncommand-line tool, or via the\n[libcrypto](https://www.openssl.org/docs/manmaster/man7/crypto.html) API.\n\nNo TPM-specific API calls are needed: the applications may be completely unaware\nthat the keys being used are stored within TPM.\nHowever, the application has to:\n - Load the tpm2 provider with the TPM-based operations,\n - When needed, load the\n   [base](https://www.openssl.org/docs/manmaster/man7/OSSL_PROVIDER-base.html)\n   or [default](https://www.openssl.org/docs/manmaster/man7/OSSL_PROVIDER-default.html)\n   provider with operations for file read/write, standard encoders/decoders,\n   symmetric ciphers, and hashes.\n\nFor further documentation see [latest github docs](docs).\n\nYou may also review documentation of the individual TPM2 vendors, such as the\n[OPTIGA™ TPM 2.0 command reference and code examples](https://github.com/Infineon/optiga-tpm-cheatsheet).\n\n### [Initialization](docs/initialization.md)\n\nConnect to the TPM2 using the\n[`openssl -provider`](https://www.openssl.org/docs/manmaster/man1/openssl.html)\noption, or using the\n[OSSL_PROVIDER](https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER.html)\nAPI functions.\nThe `TPM2OPENSSL_TCTI` environment variable may be used to specify the\nTPM Command Transmission Interface (TCTI).\n\nThe\n[OSSL_PROVIDER_self_test](https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_self_test.html)\nAPI may be used to invoke the TPM self-test operation.\n\n### [Symmetric Operations](docs/symmetric.md)\n\nProvides encryption (TPM2_EncryptDecrypt) using the\n[`openssl enc`](https://www.openssl.org/docs/manmaster/man1/openssl-enc.html)\nor the\n[EVP_Cipher](https://www.openssl.org/docs/manmaster/man3/EVP_Cipher.html) API.\nThe AES-128, AES-192, AES-256, CAMELLIA-128, CAMELLIA-192 and CAMELLIA-256\nalgorithm in the ECB, CBC, OFB, CFB or CTR mode is supported.\n\nProvides digest calculation (TPM2_Hash) using the\n[`openssl dgst`](https://www.openssl.org/docs/manmaster/man1/openssl-dgst.html)\nor the\n[EVP_Digest](https://www.openssl.org/docs/manmaster/man3/EVP_Digest.html) API.\nThe SHA-1, SHA-256, SHA-384 and SHA-512 algorithm is supported.\n\nThese operations are disabled by default. The `default` provider is much faster\nand should be used instead.\n\n### [Random Number Generation](docs/rng.md)\n\nProvides a random number generation (TPM2_GetRandom) using the\n[`openssl rand`](https://www.openssl.org/docs/manmaster/man1/openssl-rand.html)\nor the\n[EVP_RAND](https://www.openssl.org/docs/manmaster/man3/EVP_RAND.html) API.\n\n### [Key Operations](docs/keys.md)\n\nProvides key generation (TPM2_Create) using the\n[`openssl genpkey`](https://www.openssl.org/docs/manmaster/man1/openssl-genpkey.html)\nor the\n[EVP_PKEY](https://www.openssl.org/docs/manmaster/man3/EVP_PKEY.html) API\nfor the\n[RSA](https://www.openssl.org/docs/manmaster/man7/EVP_PKEY-RSA.html) and\nRSA-PSS keys, as well as the\n[EC](https://www.openssl.org/docs/manmaster/man7/EVP_PKEY-EC.html) keys\nwith a NIST curve P-192, P-224, P-256, P-384 or P-521.\nThe private key gets stored as a PEM (`TSS2 PRIVATE KEY`) or DER file.\n\nFor example, to generate a RSA key using TPM:\n```\nopenssl genpkey -provider tpm2 -algorithm RSA -out testkey.priv\n```\n\nProvides\n[OSSL_STORE](https://www.openssl.org/docs/manmaster/man3/OSSL_STORE_CTX.html)\nand\n[OSSL_DECODER](https://www.openssl.org/docs/manmaster/man3/OSSL_DECODER.html) API\nto load (TPM2_Load) a private key from a previously generated file, as well as\npersistent keys generated with the\n[tpm2-tools](https://github.com/tpm2-software/tpm2-tools). Both the hexadecimal\nkey `handle` as well as the serialized `object` file may be used. These URI\nprefixes may be used with any openssl command.\n\nThe corresponding public key can be stored using the\n[`openssl pkey`](https://www.openssl.org/docs/manmaster/man1/openssl-pkey.html)\nor the\n[OSSL_ENCODER](https://www.openssl.org/docs/manmaster/man3/OSSL_ENCODER.html) API.\nThe SubjectPublicKeyInfo (`PUBLIC KEY`) and PKCS1 (`RSA PUBLIC KEY`) form,\neither PEM or DER is supported.\n\nFor example, to load a persistent key and export its public portion:\n```\nopenssl pkey -provider tpm2 -in handle:0x81000000 -pubout -out testkey.pub\n```\n\n### [Asymmetric Operations](docs/asymmetric.md)\n\nProvides asymmetric signature (TPM2_Sign) using the\n[`openssl pkeyutl -sign`](https://www.openssl.org/docs/manmaster/man1/openssl-pkeyutl.html)\nor the\n[EVP_DigestSign](https://www.openssl.org/docs/manmaster/man3/EVP_DigestSign.html) API.\nThe PKCS1 (rsassa) and PSS (rsapss) padding (signing scheme) is supported.\n\nFor example, to sign arbitrary data:\n```\nopenssl pkeyutl -provider tpm2 -inkey handle:0x81000000 \\\n                -sign -rawin -in testdata -out testdata.sig\n```\n\nSigning using a restricted signing key is possible, e.g. one can sign arbitrary\ndata using the TPM attestation key (AK) created by `tpm2_createak`.\nSuch keys are compatible with e.g. the [strongSwan](https://www.strongswan.org/)\n[TPM Plugin](https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin).\nTherefore, OpenSSL could be used to create and deploy VPN keys/certificates.\n\nProvides RSA decryption (TPM2_RSA_Decrypt) using the\n[`openssl pkeyutl -decrypt`](https://www.openssl.org/docs/manmaster/man1/openssl-pkeyutl.html)\nor the\n[EVP_PKEY_decrypt](https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_decrypt.html) API.\n\nProvides ECDH shared secret derivation (TPM2_ECDH_ZGen) using the\n[`openssl pkeyutl -derive`](https://www.openssl.org/docs/manmaster/man1/openssl-pkeyutl.html)\nor the\n[EVP_PKEY_derive](https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_derive.html) API.\n\n### [Identity Certificates](docs/certificates.md)\n\nProvides all operations required to use a TPM2-based key for:\n - Certificate signing with\n   [`openssl req`](https://www.openssl.org/docs/manmaster/man1/openssl-req.html),\n - Certificate Authority (CA) using\n   [`openssl ca`](https://www.openssl.org/docs/manmaster/man1/openssl-ca.html),\n - Certificate Management Protocol (CMP) client using\n   [`openssl cmp`](https://www.openssl.org/docs/manmaster/man1/openssl-cmp.html),\n - Cryptographic Message Standard (S/MIME) processing using\n   [`openssl cms`](https://www.openssl.org/docs/manmaster/man1/openssl-cms.html),\n - TLS authentication.\n\n\n## TPM Limitations\n\n### Limited Resources\n\nPlease mind the limited number of transient key and sequence objects that can\nbe concurrently loaded in the TPM. The number of ongoing digest operations and\nthe number of loaded private keys is limited. The in-kernel resource manager\n(`/dev/tpmrm`) is also memory constrained.\n\nComplex scenarios such as SSL or X.509 operations require creation of a large\nnumber of transient objects. The in-kernel resource manager is often not\nsufficient and\nthe [user-space resource manager](https://github.com/tpm2-software/tpm2-abrmd)\nmust be used with a sufficiently large `--max-transients` argument.\n\n### Limited Performance\n\nThe TPM is a cryptographic processor with a secure key storage. It is **not**\nan accelerator. Many operations are slower than a pure software implementation.\n\nFor user convenience the tpm2 provider implements also\n[Symmetric Operations](docs/symmetric.md) that do not use the secure storage,\nbut we recommend using the OpenSSL's\n[default provider](docs/initialization.md#loading-multiple-providers)\ninstead in performance critical applications.\n\n### Limited Set of Algorithms\n\nNot every OpenSSL operation will work with the TPM: some are not specified by\nthe TCG TPM specification, some might not be implemented by your TPM chip.\n\nThe list of algorithms supported by the tpm2 provider on your actual TPM can be\nretrieved using the [openssl list](https://www.openssl.org/docs/manmaster/man1/openssl-list.html)\ncommands.\n\nAlgorithms that do not require the TPM hardware, such as public key operations,\nhashes or symmetric ciphers, can be fetched from the OpenSSL's\n[default provider](docs/initialization.md#loading-multiple-providers).\n\n\n## Help\n\nWhen you get stuck, remember:\n[Read-Search-Ask](https://www.freecodecamp.org/forum/t/how-to-get-help-when-you-are-stuck-coding/19514).\n 1. Read the error message and the [documentation](docs)\n 2. Search Google\n 3. Ask for help\n\nThe [test scripts](test) provide examples for each implemented functionality. Each\ntest is simple and well-documented.\n\nYou can ask a question via an GitHub\n[Issue](https://github.com/tpm2-software/tpm2-openssl/issues/new), or send\nan email to the TPM2\n[mailing list](https://lists.linuxfoundation.org/mailman/listinfo/tpm2).\n\n\n## License\n\ntpm2-openssl is distributed under the [BSD 3 Clause License](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftpm2-software%2Ftpm2-openssl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftpm2-software%2Ftpm2-openssl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftpm2-software%2Ftpm2-openssl/lists"}