DEV Community: tsuruko The latest articles on DEV Community by tsuruko (@tsuruko12). https://dev.to/tsuruko12 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3338981%2Fb6a5a762-1cbf-4d32-97b6-2d72f9cf6d25.png DEV Community: tsuruko https://dev.to/tsuruko12 en Automatically Revert Temporary Value Changes in a with Block tsuruko Sat, 21 Mar 2026 14:20:40 +0000 https://dev.to/tsuruko12/automatically-revert-temporary-value-changes-in-a-with-block-2dfb https://dev.to/tsuruko12/automatically-revert-temporary-value-changes-in-a-with-block-2dfb <p>The new <code>rollback()</code> API introduced in <code>triggon</code> v2.0.0 can automatically revert temporary changes to variables and attributes made in a <code>with</code> block.<br> It also supports local variables, so it's only available on CPython 3.13+.</p> <h2> Code Example </h2> <p>Here's a simple example.</p> <p>In this example, the variable <code>x</code> is assigned <code>99</code> inside the block, but once the block exits, it's restored to its original value, <code>1</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">triggon</span> <span class="kn">import</span> <span class="n">Triggon</span> <span class="n">x</span> <span class="o">=</span> <span class="mi">1</span> <span class="k">with</span> <span class="n">Triggon</span><span class="p">.</span><span class="nf">rollback</span><span class="p">():</span> <span class="n">x</span> <span class="o">=</span> <span class="mi">99</span> <span class="nf">print</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="c1"># 99 </span> <span class="nf">print</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="c1"># 1 </span></code></pre> </div> <p>You can also pass the names of variables or attributes to <code>rollback()</code>, so only the specified targets will be restored.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">A</span><span class="p">:</span> <span class="n">a</span> <span class="o">=</span> <span class="mi">10</span> <span class="n">x</span> <span class="o">=</span> <span class="mi">0</span> <span class="c1"># x isn't included in the rollback target </span><span class="k">with</span> <span class="n">Triggon</span><span class="p">.</span><span class="nf">rollback</span><span class="p">(</span><span class="sh">"</span><span class="s">A.a</span><span class="sh">"</span><span class="p">):</span> <span class="n">x</span> <span class="o">=</span> <span class="mi">99</span> <span class="n">A</span><span class="p">.</span><span class="n">a</span> <span class="o">=</span> <span class="o">-</span><span class="mi">10</span> <span class="nf">print</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="c1"># 99 </span> <span class="nf">print</span><span class="p">(</span><span class="n">A</span><span class="p">.</span><span class="n">a</span><span class="p">)</span> <span class="c1"># -10 </span> <span class="nf">print</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="c1"># 99 </span><span class="nf">print</span><span class="p">(</span><span class="n">A</span><span class="p">.</span><span class="n">a</span><span class="p">)</span> <span class="c1"># 10 </span></code></pre> </div> <p>Variables defined inside the block aren't restored.</p> <p><code>triggon</code> recently had a major update with 8 new APIs.<br> You can check the details in the <a href="https://github.com/tsuruko12/triggon/releases/tag/v2.0.0" rel="noopener noreferrer">release notes</a>.</p> <p><code>triggon</code> is basically a label-based library, but <code>rollback()</code> can be used easily without registering labels, variables, or attributes in advance.</p> <p>It also includes other unique features such as deferred execution and flexible early-return handling, so feel free to check it out if you're interested.</p> python opensource library triggon How I Used TPM for Key Encryption in Rust on Linux (Hardware TPM & vTPM) tsuruko Wed, 24 Dec 2025 14:26:03 +0000 https://dev.to/tsuruko12/how-i-used-tpm-for-key-encryption-in-rust-on-linux-hardware-tpm-vtpm-4ond https://dev.to/tsuruko12/how-i-used-tpm-for-key-encryption-in-rust-on-linux-hardware-tpm-vtpm-4ond <p>Following my <strong>Windows</strong> implementation, this time I implemented key wrapping with a TPM on <strong>Linux</strong>.<br> (Windows version: <a href="https://dev.to/tsuruko12/how-i-used-tpm-for-key-encryption-in-rust-using-windows-apis-33n0">How I Used TPM for Key Encryption in Rust (Using Windows APIs)</a>)</p> <p>I used <code>tss-esapi</code> on <strong>Ubuntu</strong> (WSL) with a <strong>virtual TPM</strong> (vTPM).<br> For the vTPM, I used <code>swtpm</code> (v0.7.3).<br> By changing the connection target, the same code also works with a hardware TPM.</p> <p>I’ll walk you through the key-wrapping implementation and explain how it works!</p> <h2> Table of Contents </h2> <ul> <li>Cargo.toml</li> <li>Requirements to Build tss-esapi</li> <li>Implementation</li> <li> Explanation <ul> <li>1. Connect to the TPM</li> <li>2. Create a Context</li> <li>3. Start the TPM</li> <li>4. Get the SRK Handle</li> <li>5. Create and Persist an RSA Key</li> <li>6. Wrap the Key</li> <li>Unwrap the Key</li> <li>Shut Down the TPM</li> <li>Remove a Persistent Key</li> <li>Clear the TPM</li> <li>About tpm2-tss Logs</li> </ul> </li> <li>Final Thoughts</li> </ul> <h2> Cargo.toml </h2> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[dependencies]</span> <span class="py">getrandom</span> <span class="p">=</span> <span class="s">"0.4"</span> <span class="py">tss-esapi</span> <span class="p">=</span> <span class="s">"7.6"</span> <span class="py">zeroize</span> <span class="p">=</span> <span class="s">"1.8"</span> </code></pre> </div> <h2> Requirements to Build tss-esapi </h2> <ul> <li> <code>gcc</code> (C compiler / build tool)</li> <li> <code>pkg-config</code> (dependency discovery tool for builds)</li> <li> <code>libtss2-dev</code> (TPM libraries)</li> </ul> <p>The <code>tss-esapi-sys</code> README says it uses <code>pkg-config</code> at build time to locate <code>tss2-esys</code>, <code>tss2-tctildr</code>, and <code>tss2-mu</code>.<br> So make sure <code>pkg-config</code>, <code>libtss2-dev</code> (v2.3.3+), and <code>gcc</code> are installed.<br> <code>libtss2-dev</code> includes those three libraries.</p> <p><strong>Install on Ubuntu</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt <span class="nb">install </span>gcc pkg-config libtss2-dev </code></pre> </div> <h2> Implementation </h2> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">convert</span><span class="p">::</span><span class="nb">TryFrom</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tss_esapi</span><span class="p">::{</span> <span class="n">Context</span><span class="p">,</span> <span class="nb">Result</span><span class="p">,</span> <span class="nn">attributes</span><span class="p">::</span><span class="nn">object</span><span class="p">::{</span><span class="n">ObjectAttributes</span><span class="p">,</span> <span class="n">ObjectAttributesBuilder</span><span class="p">},</span> <span class="nn">constants</span><span class="p">::{</span> <span class="nn">capabilities</span><span class="p">::</span><span class="n">CapabilityType</span><span class="p">,</span> <span class="nn">response_code</span><span class="p">::</span><span class="n">Tss2ResponseCodeKind</span><span class="p">,</span> <span class="nn">startup_type</span><span class="p">::</span><span class="n">StartupType</span><span class="p">,</span> <span class="p">},</span> <span class="nn">handles</span><span class="p">::{</span><span class="n">ObjectHandle</span><span class="p">,</span> <span class="n">PersistentTpmHandle</span><span class="p">,</span> <span class="n">TpmHandle</span><span class="p">},</span> <span class="nn">interface_types</span><span class="p">::{</span> <span class="nn">algorithm</span><span class="p">::{</span><span class="n">HashingAlgorithm</span><span class="p">,</span> <span class="n">PublicAlgorithm</span><span class="p">},</span> <span class="nn">key_bits</span><span class="p">::</span><span class="n">RsaKeyBits</span><span class="p">,</span> <span class="nn">resource_handles</span><span class="p">::{</span><span class="n">Hierarchy</span><span class="p">,</span> <span class="n">Provision</span><span class="p">},</span> <span class="nn">session_handles</span><span class="p">::</span><span class="n">AuthSession</span><span class="p">,</span> <span class="p">},</span> <span class="nn">structures</span><span class="p">::{</span> <span class="n">Auth</span><span class="p">,</span> <span class="n">CapabilityData</span><span class="p">,</span> <span class="n">Data</span><span class="p">,</span> <span class="n">HashScheme</span><span class="p">,</span> <span class="n">Public</span><span class="p">,</span> <span class="n">PublicBuilder</span><span class="p">,</span> <span class="n">PublicKeyRsa</span><span class="p">,</span> <span class="n">PublicRsaParameters</span><span class="p">,</span> <span class="n">PublicRsaParametersBuilder</span><span class="p">,</span> <span class="n">RsaDecryptionScheme</span><span class="p">,</span> <span class="n">RsaExponent</span><span class="p">,</span> <span class="n">RsaScheme</span><span class="p">,</span> <span class="n">SymmetricDefinitionObject</span><span class="p">,</span> <span class="p">},</span> <span class="nn">tcti_ldr</span><span class="p">::{</span><span class="n">DeviceConfig</span><span class="p">,</span> <span class="n">NetworkTPMConfig</span><span class="p">,</span> <span class="n">TctiNameConf</span><span class="p">},</span> <span class="p">};</span> <span class="k">use</span> <span class="nn">zeroize</span><span class="p">::</span><span class="n">Zeroizing</span><span class="p">;</span> <span class="c1">// Note: This is a simplified version</span> <span class="k">const</span> <span class="n">RSA_KEY_AUTH</span><span class="p">:</span> <span class="o">&amp;</span><span class="p">[</span><span class="nb">u8</span><span class="p">]</span> <span class="o">=</span> <span class="s">b"AuthValue"</span><span class="p">;</span> <span class="k">fn</span> <span class="nf">build_public</span><span class="p">(</span><span class="n">attrs</span><span class="p">:</span> <span class="n">ObjectAttributes</span><span class="p">,</span> <span class="n">params</span><span class="p">:</span> <span class="n">PublicRsaParameters</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">Public</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">public</span> <span class="o">=</span> <span class="nn">PublicBuilder</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span> <span class="nf">.with_public_algorithm</span><span class="p">(</span><span class="nn">PublicAlgorithm</span><span class="p">::</span><span class="n">Rsa</span><span class="p">)</span> <span class="nf">.with_object_attributes</span><span class="p">(</span><span class="n">attrs</span><span class="p">)</span> <span class="nf">.with_name_hashing_algorithm</span><span class="p">(</span><span class="nn">HashingAlgorithm</span><span class="p">::</span><span class="n">Sha256</span><span class="p">)</span> <span class="nf">.with_rsa_parameters</span><span class="p">(</span><span class="n">params</span><span class="p">)</span> <span class="nf">.with_rsa_unique_identifier</span><span class="p">(</span><span class="nn">PublicKeyRsa</span><span class="p">::</span><span class="nf">default</span><span class="p">())</span> <span class="nf">.build</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">public</span><span class="p">)</span> <span class="p">}</span> <span class="k">struct</span> <span class="n">KeyWrapper</span> <span class="p">{</span> <span class="n">ctx</span><span class="p">:</span> <span class="n">Context</span><span class="p">,</span> <span class="p">}</span> <span class="c1">// With a hardware TPM, the platform often shuts the TPM down automatically.</span> <span class="c1">// If that's the case in your environment, remove this block.</span> <span class="k">impl</span> <span class="nb">Drop</span> <span class="k">for</span> <span class="n">KeyWrapper</span> <span class="p">{</span> <span class="k">fn</span> <span class="nf">drop</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="k">self</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="o">=</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.shutdown</span><span class="p">(</span><span class="nn">StartupType</span><span class="p">::</span><span class="n">Clear</span><span class="p">)</span> <span class="p">{</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Failed to shut down the TPM: {e}"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Encryption and hashing algorithms are chosen for broad compatibility</span> <span class="c1">// and are widely used and recommended</span> <span class="k">impl</span> <span class="n">KeyWrapper</span> <span class="p">{</span> <span class="k">fn</span> <span class="nf">new</span><span class="p">(</span><span class="n">use_vtpm</span><span class="p">:</span> <span class="nb">bool</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="k">Self</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">tcti</span> <span class="o">=</span> <span class="k">if</span> <span class="n">use_vtpm</span> <span class="p">{</span> <span class="c1">// By default, this connects to "localhost:2321"</span> <span class="nn">TctiNameConf</span><span class="p">::</span><span class="nf">Swtpm</span><span class="p">(</span><span class="nn">NetworkTPMConfig</span><span class="p">::</span><span class="nf">default</span><span class="p">())</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c1">// By default, this connects to "/dev/tpm0"</span> <span class="nn">TctiNameConf</span><span class="p">::</span><span class="nf">Device</span><span class="p">(</span><span class="nn">DeviceConfig</span><span class="p">::</span><span class="nf">default</span><span class="p">())</span> <span class="p">};</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">ctx</span> <span class="o">=</span> <span class="nn">Context</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">tcti</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// With a hardware TPM, the platform often starts the TPM automatically.</span> <span class="c1">// If that's the case in your environment, remove this line.</span> <span class="n">ctx</span><span class="nf">.startup</span><span class="p">(</span><span class="nn">StartupType</span><span class="p">::</span><span class="n">Clear</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">Self</span> <span class="p">{</span> <span class="n">ctx</span> <span class="p">})</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">wrap_key</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="k">self</span><span class="p">,</span> <span class="n">target_key</span><span class="p">:</span> <span class="p">[</span><span class="nb">u8</span><span class="p">;</span> <span class="mi">32</span><span class="p">])</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">u8</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">target_key</span> <span class="o">=</span> <span class="nn">Zeroizing</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">target_key</span><span class="p">);</span> <span class="k">let</span> <span class="n">hrsa</span> <span class="o">=</span> <span class="k">self</span><span class="nf">.ensure_rsa_key</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Wrap the target key</span> <span class="k">let</span> <span class="n">wrapped_key</span> <span class="o">=</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.execute_with_nullauth_session</span><span class="p">(|</span><span class="n">ctx</span><span class="p">|</span> <span class="p">{</span> <span class="n">ctx</span><span class="nf">.rsa_encrypt</span><span class="p">(</span> <span class="n">hrsa</span><span class="nf">.into</span><span class="p">(),</span> <span class="nn">PublicKeyRsa</span><span class="p">::</span><span class="nf">try_from</span><span class="p">(</span><span class="n">target_key</span><span class="nf">.as_slice</span><span class="p">())</span><span class="o">?</span><span class="p">,</span> <span class="nn">RsaDecryptionScheme</span><span class="p">::</span><span class="n">Null</span><span class="p">,</span> <span class="nn">Data</span><span class="p">::</span><span class="nf">default</span><span class="p">(),</span> <span class="p">)</span> <span class="p">})</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">wrapped_key</span><span class="nf">.to_vec</span><span class="p">())</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">unwrap_key</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="k">self</span><span class="p">,</span> <span class="n">target_key</span><span class="p">:</span> <span class="o">&amp;</span><span class="p">[</span><span class="nb">u8</span><span class="p">])</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">u8</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">hrsa</span> <span class="o">=</span> <span class="k">self</span><span class="nf">.ensure_rsa_key</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Set the auth value for the key object</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.tr_set_auth</span><span class="p">(</span><span class="n">hrsa</span><span class="p">,</span> <span class="nn">Auth</span><span class="p">::</span><span class="nf">try_from</span><span class="p">(</span><span class="n">RSA_KEY_AUTH</span><span class="p">)</span><span class="o">?</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Unwrap the target key</span> <span class="k">let</span> <span class="n">unwrapped_key</span> <span class="o">=</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.execute_with_nullauth_session</span><span class="p">(|</span><span class="n">ctx</span><span class="p">|</span> <span class="p">{</span> <span class="n">ctx</span><span class="nf">.rsa_decrypt</span><span class="p">(</span> <span class="n">hrsa</span><span class="nf">.into</span><span class="p">(),</span> <span class="nn">PublicKeyRsa</span><span class="p">::</span><span class="nf">try_from</span><span class="p">(</span><span class="n">target_key</span><span class="p">)</span><span class="o">?</span><span class="p">,</span> <span class="nn">RsaDecryptionScheme</span><span class="p">::</span><span class="n">Null</span><span class="p">,</span> <span class="nn">Data</span><span class="p">::</span><span class="nf">default</span><span class="p">(),</span> <span class="p">)</span> <span class="p">})</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">unwrapped_key</span><span class="nf">.to_vec</span><span class="p">())</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">ensure_rsa_key</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">ObjectHandle</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.clear_sessions</span><span class="p">();</span> <span class="c1">// Create a new SRK and RSA key if they don't exist</span> <span class="c1">// Persistent handle values are in the range 0x81000000–0x81FFFFFF</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">value</span> <span class="o">=</span> <span class="mi">0x81000000</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">srk</span> <span class="o">=</span> <span class="nb">None</span><span class="p">;</span> <span class="k">loop</span> <span class="p">{</span> <span class="k">let</span> <span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="n">more</span><span class="p">)</span> <span class="o">=</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.get_capability</span><span class="p">(</span><span class="nn">CapabilityType</span><span class="p">::</span><span class="n">Handles</span><span class="p">,</span> <span class="n">value</span><span class="p">,</span> <span class="mi">8</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="k">if</span> <span class="k">let</span> <span class="nn">CapabilityData</span><span class="p">::</span><span class="nf">Handles</span><span class="p">(</span><span class="n">h</span><span class="p">)</span> <span class="o">=</span> <span class="n">data</span> <span class="p">{</span> <span class="k">let</span> <span class="n">handles</span> <span class="o">=</span> <span class="n">h</span><span class="nf">.into_inner</span><span class="p">();</span> <span class="k">if</span> <span class="n">handles</span><span class="nf">.is_empty</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Create a new SRK and RSA key if there are no registered handles</span> <span class="k">let</span> <span class="n">srk</span> <span class="o">=</span> <span class="k">self</span><span class="nf">.create_srk</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">self</span><span class="nf">.create_rsa_key</span><span class="p">(</span><span class="n">srk</span><span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="p">}</span> <span class="k">let</span> <span class="n">last_value</span> <span class="o">=</span> <span class="n">handles</span><span class="nf">.last</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="n">value</span> <span class="o">=</span> <span class="nn">u32</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="o">*</span><span class="n">last_value</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> <span class="k">for</span> <span class="n">handle</span> <span class="k">in</span> <span class="n">handles</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nn">TpmHandle</span><span class="p">::</span><span class="nf">Persistent</span><span class="p">(</span><span class="n">_</span><span class="p">)</span> <span class="o">=</span> <span class="n">handle</span> <span class="p">{</span> <span class="k">let</span> <span class="n">target_handle</span> <span class="o">=</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.tr_from_tpm_public</span><span class="p">(</span><span class="n">handle</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Read the target handle's public area</span> <span class="k">let</span> <span class="p">(</span><span class="n">public</span><span class="p">,</span> <span class="n">_</span><span class="p">,</span> <span class="n">_</span><span class="p">)</span> <span class="o">=</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.read_public</span><span class="p">(</span><span class="n">target_handle</span><span class="nf">.into</span><span class="p">())</span><span class="o">?</span><span class="p">;</span> <span class="k">if</span> <span class="k">let</span> <span class="nn">Public</span><span class="p">::</span><span class="n">Rsa</span> <span class="p">{</span> <span class="n">object_attributes</span><span class="p">,</span> <span class="o">..</span> <span class="p">}</span> <span class="o">=</span> <span class="n">public</span> <span class="p">{</span> <span class="k">let</span> <span class="n">attrs</span> <span class="o">=</span> <span class="n">object_attributes</span><span class="p">;</span> <span class="c1">// Find a handle with attributes matching the RSA wrapping key</span> <span class="k">if</span> <span class="o">!</span><span class="n">attrs</span><span class="nf">.restricted</span><span class="p">()</span> <span class="o">&amp;&amp;</span> <span class="n">attrs</span><span class="nf">.fixed_tpm</span><span class="p">()</span> <span class="o">&amp;&amp;</span> <span class="n">attrs</span><span class="nf">.fixed_parent</span><span class="p">()</span> <span class="o">&amp;&amp;</span> <span class="n">attrs</span><span class="nf">.sensitive_data_origin</span><span class="p">()</span> <span class="o">&amp;&amp;</span> <span class="n">attrs</span><span class="nf">.user_with_auth</span><span class="p">()</span> <span class="o">&amp;&amp;</span> <span class="n">attrs</span><span class="nf">.decrypt</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">target_handle</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="n">attrs</span><span class="nf">.restricted</span><span class="p">()</span> <span class="o">&amp;&amp;</span> <span class="n">attrs</span><span class="nf">.decrypt</span><span class="p">()</span> <span class="o">&amp;&amp;</span> <span class="n">attrs</span><span class="nf">.fixed_tpm</span><span class="p">()</span> <span class="o">&amp;&amp;</span> <span class="n">attrs</span><span class="nf">.fixed_parent</span><span class="p">()</span> <span class="o">&amp;&amp;</span> <span class="n">attrs</span><span class="nf">.sensitive_data_origin</span><span class="p">()</span> <span class="o">&amp;&amp;</span> <span class="n">attrs</span><span class="nf">.no_da</span><span class="p">()</span> <span class="p">{</span> <span class="n">srk</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="n">target_handle</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="o">!</span><span class="n">more</span> <span class="p">{</span> <span class="c1">// If there are no more handles</span> <span class="k">if</span> <span class="k">let</span> <span class="nb">None</span> <span class="o">=</span> <span class="n">srk</span> <span class="p">{</span> <span class="k">let</span> <span class="n">srk</span> <span class="o">=</span> <span class="k">self</span><span class="nf">.create_srk</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">self</span><span class="nf">.create_rsa_key</span><span class="p">(</span><span class="n">srk</span><span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">self</span><span class="nf">.create_rsa_key</span><span class="p">(</span><span class="n">srk</span><span class="nf">.unwrap</span><span class="p">())</span><span class="o">?</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">make_persistent</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="k">self</span><span class="p">,</span> <span class="n">handle</span><span class="p">:</span> <span class="k">impl</span> <span class="nb">Into</span><span class="o">&lt;</span><span class="n">ObjectHandle</span><span class="o">&gt;</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">ObjectHandle</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">value</span> <span class="o">=</span> <span class="mi">0x81000001</span><span class="p">;</span> <span class="k">let</span> <span class="n">handle</span> <span class="o">=</span> <span class="n">handle</span><span class="nf">.into</span><span class="p">();</span> <span class="k">loop</span> <span class="p">{</span> <span class="k">match</span> <span class="k">self</span> <span class="py">.ctx</span> <span class="c1">// Set a password session</span> <span class="nf">.execute_with_session</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="nn">AuthSession</span><span class="p">::</span><span class="n">Password</span><span class="p">),</span> <span class="p">|</span><span class="n">ctx</span><span class="p">|</span> <span class="p">{</span> <span class="c1">// Make the target object persistent</span> <span class="n">ctx</span><span class="nf">.evict_control</span><span class="p">(</span> <span class="nn">Provision</span><span class="p">::</span><span class="n">Owner</span><span class="p">,</span> <span class="n">handle</span><span class="p">,</span> <span class="nn">PersistentTpmHandle</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">value</span><span class="p">)</span><span class="o">?</span><span class="nf">.into</span><span class="p">(),</span> <span class="p">)</span> <span class="p">})</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">h</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Registered the object at handle {value:#x}."</span><span class="p">);</span> <span class="c1">// Remove the transient object</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.flush_context</span><span class="p">(</span><span class="n">handle</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">h</span><span class="p">);</span> <span class="p">}</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="c1">// When the target handle value is already in use</span> <span class="k">if</span> <span class="nd">matches!</span><span class="p">(</span> <span class="o">&amp;</span><span class="n">e</span><span class="p">,</span> <span class="nn">tss_esapi</span><span class="p">::</span><span class="nn">Error</span><span class="p">::</span><span class="nf">Tss2Error</span><span class="p">(</span><span class="n">code</span><span class="p">)</span> <span class="k">if</span> <span class="n">code</span><span class="nf">.kind</span><span class="p">()</span> <span class="o">==</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Tss2ResponseCodeKind</span><span class="p">::</span><span class="n">NvDefined</span><span class="p">)</span> <span class="p">)</span> <span class="p">{</span> <span class="n">value</span> <span class="o">+=</span> <span class="mi">1</span><span class="p">;</span> <span class="k">continue</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">create_rsa_key</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="k">self</span><span class="p">,</span> <span class="n">hsrk</span><span class="p">:</span> <span class="n">ObjectHandle</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">ObjectHandle</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">attrs</span> <span class="o">=</span> <span class="nn">ObjectAttributesBuilder</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span> <span class="nf">.with_fixed_tpm</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.with_fixed_parent</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.with_user_with_auth</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.with_sensitive_data_origin</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.with_decrypt</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.build</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">hash_algo</span> <span class="o">=</span> <span class="nn">HashScheme</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HashingAlgorithm</span><span class="p">::</span><span class="n">Sha256</span><span class="p">);</span> <span class="k">let</span> <span class="n">params</span> <span class="o">=</span> <span class="nn">PublicRsaParametersBuilder</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span> <span class="nf">.with_scheme</span><span class="p">(</span><span class="nn">RsaScheme</span><span class="p">::</span><span class="nf">Oaep</span><span class="p">(</span><span class="n">hash_algo</span><span class="p">))</span> <span class="nf">.with_key_bits</span><span class="p">(</span><span class="nn">RsaKeyBits</span><span class="p">::</span><span class="n">Rsa2048</span><span class="p">)</span> <span class="nf">.with_exponent</span><span class="p">(</span><span class="nn">RsaExponent</span><span class="p">::</span><span class="n">ZERO_EXPONENT</span><span class="p">)</span> <span class="nf">.build</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">key_result</span> <span class="o">=</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.execute_with_session</span><span class="p">(</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">AuthSession</span><span class="p">::</span><span class="n">Password</span><span class="p">),</span> <span class="c1">// Set a password session</span> <span class="p">|</span><span class="n">ctx</span><span class="p">|</span> <span class="p">{</span> <span class="c1">// Create a new RSA key</span> <span class="k">let</span> <span class="n">key_result</span> <span class="o">=</span> <span class="n">ctx</span><span class="nf">.create</span><span class="p">(</span> <span class="n">hsrk</span><span class="nf">.into</span><span class="p">(),</span> <span class="nf">build_public</span><span class="p">(</span><span class="n">attrs</span><span class="p">,</span> <span class="n">params</span><span class="p">)</span><span class="o">?</span><span class="p">,</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Auth</span><span class="p">::</span><span class="nf">try_from</span><span class="p">(</span><span class="n">RSA_KEY_AUTH</span><span class="p">)</span><span class="o">?</span><span class="p">),</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Load the created RSA key into the TPM</span> <span class="n">ctx</span><span class="nf">.load</span><span class="p">(</span><span class="n">hsrk</span><span class="nf">.into</span><span class="p">(),</span> <span class="n">key_result</span><span class="py">.out_private</span><span class="p">,</span> <span class="n">key_result</span><span class="py">.out_public</span><span class="p">)</span> <span class="p">},</span> <span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">self</span><span class="nf">.make_persistent</span><span class="p">(</span><span class="n">key_result</span><span class="p">)</span><span class="o">?</span><span class="p">)</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">create_srk</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">ObjectHandle</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">attrs</span> <span class="o">=</span> <span class="nn">ObjectAttributesBuilder</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span> <span class="nf">.with_fixed_tpm</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.with_fixed_parent</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.with_no_da</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.with_restricted</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.with_user_with_auth</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.with_sensitive_data_origin</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.with_decrypt</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.build</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">params</span> <span class="o">=</span> <span class="nn">PublicRsaParametersBuilder</span><span class="p">::</span><span class="nf">new_restricted_decryption_key</span><span class="p">(</span> <span class="nn">SymmetricDefinitionObject</span><span class="p">::</span><span class="n">AES_128_CFB</span><span class="p">,</span> <span class="nn">RsaKeyBits</span><span class="p">::</span><span class="n">Rsa2048</span><span class="p">,</span> <span class="nn">RsaExponent</span><span class="p">::</span><span class="n">ZERO_EXPONENT</span><span class="p">,</span> <span class="p">)</span> <span class="nf">.build</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">key_result</span> <span class="o">=</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.execute_with_session</span><span class="p">(</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">AuthSession</span><span class="p">::</span><span class="n">Password</span><span class="p">),</span> <span class="c1">// Set a password session</span> <span class="p">|</span><span class="n">ctx</span><span class="p">|</span> <span class="p">{</span> <span class="c1">// Create a new SRK</span> <span class="n">ctx</span><span class="nf">.create_primary</span><span class="p">(</span> <span class="nn">Hierarchy</span><span class="p">::</span><span class="n">Owner</span><span class="p">,</span> <span class="nf">build_public</span><span class="p">(</span><span class="n">attrs</span><span class="p">,</span> <span class="n">params</span><span class="p">)</span><span class="o">?</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="p">)</span> <span class="p">},</span> <span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">self</span><span class="nf">.make_persistent</span><span class="p">(</span><span class="n">key_result</span><span class="py">.key_handle</span><span class="p">)</span><span class="o">?</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This implementation scans the TPM's persistent handles each time to look for the wrapping key created earlier. It verifies the key by checking its attributes. If it can’t find a match, it creates a new <em>RSA</em> key.</p> <p>For authorization, it sets up password sessions or HMAC sessions depending on the function. Some functions don’t allow password sessions, or restrict which session attributes can be used, so the appropriate session type should be used for each case.</p> <p><code>tr_from_tpm_public()</code>, which constructs an ESYS object, is used to operate on an existing TPM object.</p> <p>Since this is a simplified version, the password used as the <em>RSA</em> key’s auth value is defined as a <code>const</code>.<br> <strong>In real-world use, you should manage it securely.</strong></p> <p>To confirm it works, try running the main function below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Connect to vTPM</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">key_wrapper</span> <span class="o">=</span> <span class="k">match</span> <span class="nn">KeyWrapper</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">t</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="n">t</span><span class="p">,</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Failed to connect to the TPM: {e}"</span><span class="p">);</span> <span class="k">return</span> <span class="p">},</span> <span class="p">};</span> <span class="c1">// Create a key to be wrapped (AES-256)</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">key</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="mi">32</span><span class="p">];</span> <span class="nn">getrandom</span><span class="p">::</span><span class="nf">fill</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">key</span><span class="p">)</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Original key: {:?}"</span><span class="p">,</span> <span class="n">key</span><span class="p">);</span> <span class="k">let</span> <span class="n">wrapped_key</span> <span class="o">=</span> <span class="k">match</span> <span class="n">key_wrapper</span><span class="nf">.wrap_key</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">k</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Wrapped key: {:?}"</span><span class="p">,</span> <span class="n">k</span><span class="p">);</span> <span class="n">k</span> <span class="p">},</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Failed to wrap the key: {e}"</span><span class="p">);</span> <span class="k">return</span> <span class="p">},</span> <span class="p">};</span> <span class="k">match</span> <span class="n">key_wrapper</span><span class="nf">.unwrap_key</span><span class="p">(</span><span class="o">&amp;</span><span class="n">wrapped_key</span><span class="p">)</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">k</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Unwrapped key: {:?}"</span><span class="p">,</span> <span class="n">k</span><span class="p">),</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Failed to unwrap the key: {e}"</span><span class="p">),</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>If you want to delete the key you created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">fn</span> <span class="nf">delete_key</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="k">self</span><span class="p">,</span> <span class="n">value</span><span class="p">:</span> <span class="nb">u32</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// `value` is the handle value to remove</span> <span class="k">let</span> <span class="n">handle</span> <span class="o">=</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.tr_from_tpm_public</span><span class="p">(</span><span class="nn">TpmHandle</span><span class="p">::</span><span class="nf">try_from</span><span class="p">(</span><span class="n">value</span><span class="p">)</span><span class="o">?</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="k">self</span> <span class="py">.ctx</span> <span class="nf">.execute_with_session</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="nn">AuthSession</span><span class="p">::</span><span class="n">Password</span><span class="p">),</span> <span class="p">|</span><span class="n">ctx</span><span class="p">|</span> <span class="p">{</span> <span class="c1">// Remove the persistent handle</span> <span class="n">ctx</span><span class="nf">.evict_control</span><span class="p">(</span> <span class="nn">Provision</span><span class="p">::</span><span class="n">Owner</span><span class="p">,</span> <span class="n">handle</span><span class="p">,</span> <span class="nn">PersistentTpmHandle</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">value</span><span class="p">)</span><span class="o">?</span><span class="nf">.into</span><span class="p">(),</span> <span class="p">)</span> <span class="p">})</span><span class="o">?</span><span class="p">;</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Removed the object at handle {value:#x}."</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> </code></pre> </div> <p><code>evict_control()</code> behaves differently depending on whether the target is a transient object or a persistent one.</p> <p>If the target is a transient object, it’s registered under the specified persistent handle.<br> If the target is already a persistent object, it's removed instead.</p> <p>If you run it in the terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Specify the connection target using an environment variable</span> <span class="nb">export </span><span class="nv">TPM2TOOLS_TCTI</span><span class="o">=</span><span class="s2">"swtpm:host=localhost,port=2321"</span> <span class="c"># vTPM(swtpm)</span> <span class="nb">export </span><span class="nv">TPM2TOOLS_TCTI</span><span class="o">=</span><span class="s2">"device:/dev/tpm0"</span> <span class="c"># hardware TPM</span> <span class="c"># Remove the persistent object at handle 0x81000002</span> <span class="c"># If the hierarchy has an auth value, specify it with "-P" ("--auth")</span> tpm2_evictcontrol <span class="nt">-c</span> 0x81000002 </code></pre> </div> <p>You can also easily list the current TPM handles:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List persistent handles</span> tpm2_getcap handles-persistent <span class="c"># List the known supported capability names</span> tpm2_getcap <span class="nt">-l</span> </code></pre> </div> <h2> Explanation </h2> <p>I referred to the following resources to learn about TPM 2.0, including its architecture and function parameters:</p> <ul> <li><a href="https://docs.rs/tss-esapi/latest/tss_esapi/index.html" rel="noopener noreferrer">tss-esapi — API documentation (docs.rs)</a></li> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf" rel="noopener noreferrer">TCG TPM v2.0 Provisioning Guidance</a></li> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-TPM-Profile-for-TPM-2p0-Version-1p06_pub.pdf" rel="noopener noreferrer">TCG PC Client Platform TPM Profile Specification for TPM 2.0</a></li> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/TSS_ESAPI_v1p0_r14_pub10012021.pdf" rel="noopener noreferrer">TCG TSS 2.0 Enhanced System API (ESAPI) Specification</a></li> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-1-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module 2.0 Library Part 1: Architecture</a></li> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-2-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module 2.0 Library Part 2: Structures</a></li> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-3-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module 2.0 Library Part 3: Commands</a></li> </ul> <p>I also used this resource as a reference for <code>tpm2-tools</code> command usage:</p> <ul> <li><a href="https://tpm2-tools.readthedocs.io/en/latest/" rel="noopener noreferrer">tpm2-tools — official documentation (man pages)</a></li> </ul> <p>In this section, I’ll explain the key-wrapping workflow and the relevant functions and parameters based on the references above.</p> <h3> 1. Connect to the TPM </h3> <p>If you use a hardware TPM, make sure it’s enabled.</p> <p>To connect to <code>swtpm</code>, you need to start the vTPM server in the terminal.<br> In this implementation, the connection uses a <strong>TCP socket</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Sample command</span> swtpm socket <span class="se">\</span> <span class="nt">--tpm2</span> <span class="se">\</span> <span class="nt">--server</span> <span class="nb">type</span><span class="o">=</span>tcp,port<span class="o">=</span>2321 <span class="se">\</span> <span class="nt">--ctrl</span> <span class="nb">type</span><span class="o">=</span>tcp,port<span class="o">=</span>2322 <span class="se">\</span> <span class="nt">--tpmstate</span> <span class="nb">dir</span><span class="o">=</span>/path/to/dir <span class="se">\</span> <span class="nt">--flags</span> startup-clear </code></pre> </div> <h4> --tpm2 </h4> <p><code>--tpm2</code></p> <p>This option selects <em>TPM 2.0</em>.<br> If not specified, <em>TPM 1.2</em> is used.</p> <h4> --server </h4> <p><code>--server [type=tcp][,port=&lt;port&gt;[,bindaddr=&lt;address&gt; [,ifname=&lt;ifname&gt;]]][,fd=&lt;fd&gt;][,disconnect]</code></p> <p>This option accepts TCP connections on the given port.</p> <p>If you specify a port (<code>port</code>), you can also specify a bind address (<code>bindaddr</code>).<br> The default bind address is <code>127.0.0.1</code>.<br> if not specified, you must specify a file descriptor (<code>fd</code>).</p> <p>If you use a link-local IPv6 address, you must specify the interface name (<code>ifname</code>) to bind to.</p> <p>Unless <code>disconnect</code> is specified, the connection remains persistent.</p> <h4> --ctrl </h4> <p><code>--ctrl type=[unixio|tcp][,path=&lt;path&gt;] [,port=&lt;port&gt;[,bindaddr=&lt;address&gt;[,ifname=&lt;ifname&gt;]]][,fd=&lt;filedescriptor&gt;|clientfd=&lt;filedescriptor&gt;] [,mode=&lt;0...&gt;][,uid=&lt;uid&gt;][,gid=&lt;gid&gt;]</code></p> <p>This option adds a control channel to the TPM.</p> <p>You can choose one of the following connection methods:</p> <ul> <li> <strong>Unix domain socket</strong> <ul> <li>Connect using either a path (<code>path</code>) or a file descriptor (<code>fd</code>).</li> </ul> </li> <li> <strong>TCP socket</strong> <ul> <li>Connect using either a port (<code>port</code>) or a file descriptor (<code>clientfd</code>).</li> </ul> </li> </ul> <p>If you specify a port (<code>port</code>), you can also specify a bind address (<code>bindaddr</code>).<br> The default bind address is <code>127.0.0.1</code>.</p> <h4> --tpmstate </h4> <p><code>--tpmstate dir=&lt;dir&gt;[,mode=&lt;0...&gt;]|backend-uri=&lt;uri&gt;</code></p> <p>This option stores the TPM’s state in the specified directory.</p> <p>When the state is saved you’ll see files like:</p> <ul> <li> <code>tpm2-00.permall</code> (non-volatile data)</li> <li> <code>tpm2-00.volatilestate</code> (volatile data)</li> <li> <code>tpm-00.savestate</code> (TPM 1.2 only)</li> </ul> <p>The directory can also be specified using the <code>TPM_PATH</code>.<br> If both are set, this option is used instead of <code>TPM_PATH</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">TPM_PATH</span><span class="o">=</span>/path/to/dir </code></pre> </div> <h4> --flags </h4> <p><code>--flags [not-need-init] [,startup-clear|startup-state|startup-deactivated|startup-none]</code></p> <p>This option controls the behavior of the <code>TPM_Startup</code> / <code>TPM2_Startup</code> command.</p> <p>It automatically sends the Startup command unless you use <code>startup-none</code>, or use <code>not-need-init</code> on its own.</p> <ul> <li> <code>startup-clear</code>: Normal initialization (resets PCRs and volatile state)</li> <li> <code>startup-state</code>: Restore volatile state (except PCRs)</li> <li> <code>startup-deactivated</code>: TPM 1.2 only (start in deactivated mode)</li> <li> <code>startup-none</code>: Do not send any Startup command</li> </ul> <p>These options except <code>startup-none</code> imply <code>not-need-init</code>.<br> The <code>not-need-init</code> flag enables the TPM to accept commands without an INIT being sent.</p> <p><code>startup-none</code> seems intended for cases where you send both the INIT and Startup commands yourself.</p> <p>If none of these options are specified, <code>startup-clear</code> is used by default.</p> <blockquote> <p><strong><em>Note:</em></strong><br> I tested whether <code>startup-state</code> actually saves the volatile state, but it didn't. I’m not sure if this is unsupported in TPM 2.0.<br> However, when I ran <code>swtpm_ioctl</code> with the <code>-v</code> option to save the state to a file manually, it worked.</p> <p>To use this tool, install <code>swtpm-tools</code>.</p> <pre class="highlight shell"><code><span class="c"># Specify the port for the control channel with `--tcp`</span> <span class="c"># The defaults are server "127.0.0.1" and port "6545"</span> swtpm_ioctl <span class="nt">--tcp</span> :2322 <span class="nt">-v</span> </code></pre> </blockquote> <h4> Other Options </h4> <p>If you want to daemonize the process, specify <code>-d</code> (<code>--daemon</code>).</p> <p>If you want to enable logging, specify <code>--log</code>.<br> <code>--log [fd=&lt;fd&gt;|file=&lt;path&gt;][,level=&lt;n&gt;][,prefix=&lt;prefix&gt;][,truncate]</code></p> <p>You can specify the log file path (<code>file</code>), and the log level (<code>level</code>).<br> If the log level is <strong>5</strong> or higher, debug tracing for <code>libtpms</code> is enabled.</p> <p>For other options, refer to the <code>swtpm</code> manual:</p> <ul> <li><a href="https://manpages.ubuntu.com/manpages/noble/man8/swtpm.8.html" rel="noopener noreferrer">Ubuntu <code>swtpm</code> manual</a></li> </ul> <blockquote> <p><strong>Note:</strong><br> As a <strong>TPM 2.0-specific caution</strong>, the <code>TPM_PT_LOCKOUT_COUNTER</code> (dictionary-attack lockout counter) may cause the TPM to become <strong>locked out</strong> once it reaches its limit.</p> <p>For example, this counter can increase when you enter an incorrect auth value, or if you disconnect without calling <code>TPM2_Shutdown()</code> after accessing a command that requires authorization.<br> The TPM checks during <code>TPM2_Startup()</code> whether the previous shutdown was orderly.</p> <p>Once the TPM is locked out, commands that require authorization will fail with an error on the next attempt.<br> To prevent this, <strong>always call <code>TPM2_Shutdown()</code> at the end.</strong></p> <p>In <code>swtpm</code> <strong>v0.8 and later</strong>, <code>TPM2_Shutdown()</code> is sent automatically unless you set <code>disable-auto-shutdown</code>. In earlier versions, you need to do it manually (this behavior is documented in the <code>CHANGES</code> file).</p> <p>If you want to disable this counter for a specific object, you can set <code>with_no_da(true)</code> when creating that object.</p> <p>If you do get locked out, you can either wait for the recovery time (the delay until the next auth attempt is allowed) or clear the lockout state using <code>tpm2-tools</code> commands.</p> <pre class="highlight shell"><code><span class="c"># Specify the connection target using an environment variable</span> <span class="c"># Example: connect to a vTPM (swtpm)</span> <span class="c"># If not specified, the default IP address is "127.0.0.1" and the port is "2321"</span> <span class="nb">export </span><span class="nv">TPM2TOOLS_TCTI</span><span class="o">=</span><span class="s2">"swtpm:host=localhost,port=2321"</span> <span class="c"># Example: connect to a physical TPM</span> <span class="c"># If not specified, the default device path is "/dev/tpm0"</span> <span class="nb">export </span><span class="nv">TPM2TOOLS_TCTI</span><span class="o">=</span><span class="s2">"device:/dev/tpm0"</span> <span class="c"># Clear the lockout state with "-c"</span> tpm2_dictionarylockout <span class="nt">-c</span> <span class="c"># Or specify the connection target along with the command</span> tpm2_dictionarylockout <span class="nt">-c</span> <span class="nt">-T</span> swtpm:host<span class="o">=</span>localhost,port<span class="o">=</span>2321 </code></pre> </blockquote> <ul> <li><a href="https://tpm2-tools.readthedocs.io/en/latest/man/tpm2_dictionarylockout.1/" rel="noopener noreferrer">tpm2_dictionarylockout(1) - tpm2-tools</a></li> </ul> <p>🔗 Reference:</p> <ul> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-1-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module 2.0 Library Part 1: Architecture (p.143 Dictionary Attack Protection)</a></li> </ul> <p>Next, you need to configure the library.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="n">tcti</span> <span class="o">=</span> <span class="k">if</span> <span class="n">use_vtpm</span> <span class="p">{</span> <span class="c1">// By default, this connects to "localhost:2321"</span> <span class="nn">TctiNameConf</span><span class="p">::</span><span class="nf">Swtpm</span><span class="p">(</span><span class="nn">NetworkTPMConfig</span><span class="p">::</span><span class="nf">default</span><span class="p">())</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c1">// By default, this connects to "/dev/tpm0"</span> <span class="nn">TctiNameConf</span><span class="p">::</span><span class="nf">Device</span><span class="p">(</span><span class="nn">DeviceConfig</span><span class="p">::</span><span class="nf">default</span><span class="p">())</span> <span class="p">};</span> </code></pre> </div> <p>In this implementation, I use these defaults.<br> If you want to connect to a custom port or path, use <code>from_str()</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">str</span><span class="p">::</span><span class="n">FromStr</span><span class="p">;</span> <span class="c1">// Custom port/host</span> <span class="k">let</span> <span class="n">tcti</span> <span class="o">=</span> <span class="nn">TctiNameConf</span><span class="p">::</span><span class="nf">from_str</span><span class="p">(</span><span class="s">"swtpm:port=1234,host=127.0.0.1"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Custom TPM device path</span> <span class="k">let</span> <span class="n">tcti</span> <span class="o">=</span> <span class="nn">TctiNameConf</span><span class="p">::</span><span class="nf">from_str</span><span class="p">(</span><span class="s">"device:/dev/tpmrm0"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> </code></pre> </div> <p>To load the connection settings from an environment variable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// The lookup order is: TPM2TOOLS_TCTI → TCTI → TEST_TCTI</span> <span class="k">let</span> <span class="n">tcti</span> <span class="o">=</span> <span class="nn">TctiNameConf</span><span class="p">::</span><span class="nf">from_environment_variable</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> </code></pre> </div> <p>Other connection options include <strong>mssim</strong> (Microsoft TPM simulator) and <strong>tabrmd</strong> (the <code>tpm2-abrmd</code> daemon), but I won’t cover them in this article.</p> <h3> 2. Create a Context </h3> <p>Use <code>Context::new()</code> to create an <strong>ESYS (Enhanced System API) context</strong> from the TCTI you choose.<br> A Context mainly manages ESAPI state, such as sessions and TPM resources.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuivkxn8g0ox7ovch3lo2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuivkxn8g0ox7ovch3lo2.png" width="800" height="57"></a></p> <p>For <code>tcti_name_conf</code>, pass the TCTI configuration you defined earlier.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="n">tcti</span> <span class="o">=</span> <span class="k">if</span> <span class="n">use_vtpm</span> <span class="p">{</span> <span class="c1">// By default, this connects to "localhost:2321"</span> <span class="nn">TctiNameConf</span><span class="p">::</span><span class="nf">Swtpm</span><span class="p">(</span><span class="nn">NetworkTPMConfig</span><span class="p">::</span><span class="nf">default</span><span class="p">())</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c1">// By default, this connects to "/dev/tpm0"</span> <span class="nn">TctiNameConf</span><span class="p">::</span><span class="nf">Device</span><span class="p">(</span><span class="nn">DeviceConfig</span><span class="p">::</span><span class="nf">default</span><span class="p">())</span> <span class="p">};</span> <span class="c1">// Create a Context with the specified TCTI</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">ctx</span> <span class="o">=</span> <span class="nn">Context</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">tcti</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> </code></pre> </div> <p>If you want to use the resource manager (tpm2-abrmd), you can create the context with <code>new_with_tabrmd()</code>.</p> <h3> 3. Start the TPM </h3> <p>After creating a context, may you need to call <code>startup()</code>.</p> <p>With a hardware TPM, the platform often sends <code>TPM2_Startup()</code> during boot, so calling it yourself can run it twice and may cause an error.<br><br> (Reference: <a href="https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-TPM-Profile-for-TPM-2p0-Version-1p06_pub.pdf" rel="noopener noreferrer">TCG PC Client Platform TPM Profile Specification for TPM 2.0 (p.31 Power Management)</a>)<br> With <code>swtpm</code>, calling it twice didn’t cause an error in my tests.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="k">mut</span> <span class="n">ctx</span> <span class="o">=</span> <span class="nn">Context</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">tcti</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="n">ctx</span><span class="nf">.startup</span><span class="p">(</span><span class="nn">StartupType</span><span class="p">::</span><span class="n">Clear</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Run this function after creating a context.</span> <span class="c1">// But if the platform or swtpm already starts it automatically,</span> <span class="c1">// you can skip it.</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fihc4xt3fnv2ftaofbbkf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fihc4xt3fnv2ftaofbbkf.png" width="800" height="60"></a></p> <p>For <code>startup_type</code>, pass the startup mode to <code>Clear</code> or <code>State</code>.<br> Whether the previous volatile state can be restored depends on the argument used in the previous <code>shutdown()</code>.</p> <p><strong><em>Reset:</em></strong><br> Previous: <code>shutdown(StartupType::Clear)</code> → Next: <code>startup(StartupType::Clear)</code></p> <p>Most values are initialized to their default values or to new random values.<br> Persistent data stored in NV (non-volatile) memory is not affected.<br> If you call <code>startup(StartupType::State)</code>, there is no saved state to restore, so it fails.</p> <p><strong><em>Restart:</em></strong><br> Previous: <code>shutdown(StartupType::State)</code> → Next: <code>startup(StartupType::Clear)</code></p> <p>Volatile state (except PCRs) is restored, but PCRs are cleared (initialized).<br> This allows the next boot measurements to be recorded correctly.</p> <p><strong><em>Resume:</em></strong><br> Previous: <code>shutdown(StartupType::State)</code> → Next: <code>startup(StartupType::State)</code></p> <p>All volatile state saved by <code>shutdown(StartupType::State)</code> is restored, including PCRs.<br> However, PCRs that aren't saved are initialized.</p> <p>If you want to do this in the terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Start with State</span> tpm2_startup <span class="c"># Start with Clear</span> tpm2_startup <span class="nt">-c</span> </code></pre> </div> <p><a href="https://tpm2-tools.readthedocs.io/en/latest/man/tpm2_startup.1/" rel="noopener noreferrer"><em>tpm2_startup(1) - tpm2-tools</em></a></p> <h4> What are PCRs? </h4> <p><strong>PCRs (Platform Configuration Registers)</strong> are dedicated registers used to validate the platform’s state.</p> <p>During system boot (and other security-relevant events), measurements are recorded in a log. The measurement itself (or its hash) is sent to the TPM and extended into a PCR, so the PCR value is accumulated as a chain of hashes.<br> Using this value, you can verify whether the measurement log has been tampered with.</p> <p>It’s possible to use a single PCR, but in practice, measured boot assigns measurements to specific PCRs, so they’re usually spread across multiple PCRs.</p> <blockquote> <p><strong>Note:</strong><br> The number of PCRs and their attributes depend on the platform.</p> </blockquote> <p>🔗 References:</p> <ul> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-1-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module Library Part 1: Architecture (p.61 Startup State)</a></li> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-3-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module Library Part 3: Commands (p.42 TPM2_Startup)</a></li> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-1-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module Library Part 1: Architecture (p.57 Platform Configuration Registers (PCR)</a></li> </ul> <h3> 4. Get the SRK Handle </h3> <p>To create a wrapping key (an <em>RSA</em> key), you need its parent key, the <em>SRK</em>.<br> On a vTPM, there is often no persisted <em>SRK</em> yet, so you may need to create one and make it persistent.</p> <p>It’s common to persist the <em>SRK</em> at <strong>0x81000001</strong>, so you’ll often find it there.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp03liob8cjpkub2fnzin.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp03liob8cjpkub2fnzin.png" width="800" height="317"></a></p> <p>To read the TPM capabilities, use <code>get_capability()</code>.<br> This function only allows the <code>audit</code> session attribute, so make sure other session attributes are disabled.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// The return value includes the retrieved data and a bool indicating</span> <span class="c1">// whether more data is available</span> <span class="k">let</span> <span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="n">more</span><span class="p">)</span> <span class="o">=</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.get_capability</span><span class="p">(</span> <span class="nn">CapabilityType</span><span class="p">::</span><span class="n">Handles</span><span class="p">,</span> <span class="n">value</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="p">)</span><span class="o">?</span><span class="p">;</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa4xanql3ta1xt9vz6lvs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa4xanql3ta1xt9vz6lvs.png" width="800" height="192"></a></p> <p>For <code>capability</code>, pass the type of data you want to retrieve.</p> <p>For <code>property</code>, it depends on the <code>capability</code> type.<br> For handles, pass the handle value to start from.</p> <p>For <code>property_count</code>, pass how many entries to request at once.<br> Depending on the TPM implementation, it may return fewer entries than requested.<br> Also, even if you repeat the request with the same parameters, the number of entries returned may vary from call to call.</p> <p>If you want to do this in the terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List transient handles</span> tpm2_getcap handles-transient <span class="c"># List persistent handles</span> tpm2_getcap handles-persistent </code></pre> </div> <p><a href="https://tpm2-tools.readthedocs.io/en/latest/man/tpm2_getcap.1/" rel="noopener noreferrer"><em>tpm2_getcap(1) - tpm2-tools</em></a></p> <h4> ESYS Object Construction </h4> <p>To operate on an object in the TPM, you need to construct an ESYS object using <code>tr_from_tpm_public()</code>.<br> This function only allows the <code>audit</code> and <code>encrypt</code> session attributes, so make sure other session attributes are disabled.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe3yg2d6gfpb2fy4mdyyj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe3yg2d6gfpb2fy4mdyyj.png" width="800" height="116"></a></p> <p>For <code>tpm_handle</code>, pass the handle you want to read.</p> <h4> Reading the Public Area </h4> <p><code>read_public()</code> reads the public area of the specified handle.<br> This function only allows the <code>audit</code> and <code>encrypt</code> session attributes, so make sure other session attributes are disabled.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr8ihlifrec8760wj10z4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr8ihlifrec8760wj10z4.png" width="800" height="117"></a></p> <p>For <code>key_handle</code>, pass the object handle whose public area you want to read.<br> Since <code>From&lt;KeyHandle&gt;</code> is implemented for <code>ObjectHandle</code>, you can convert it with <code>into()</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// Convert the TPM handle to an ESYS object (handle)</span> <span class="k">let</span> <span class="n">target_handle</span> <span class="o">=</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.tr_from_tpm_public</span><span class="p">(</span><span class="n">handle</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Read the object's public area</span> <span class="k">let</span> <span class="p">(</span><span class="n">public</span><span class="p">,</span> <span class="n">_</span><span class="p">,</span> <span class="n">_</span><span class="p">)</span> <span class="o">=</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.read_public</span><span class="p">(</span><span class="n">target_handle</span><span class="nf">.into</span><span class="p">())</span><span class="o">?</span><span class="p">;</span> </code></pre> </div> <p>If you want to do this in the terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Read the public area from the context file path (or handle value) with "-c"</span> tpm2_readpublic <span class="nt">-c</span> rsa.ctx </code></pre> </div> <p><a href="https://tpm2-tools.readthedocs.io/en/latest/man/tpm2_readpublic.1/" rel="noopener noreferrer"><em>tpm2_readpublic(1) - tpm2-tools</em></a></p> <h3> 5. Create and Persist an RSA Key </h3> <p>Once you have the <em>SRK</em>, you can create an <em>RSA</em> key for key wrapping.<br> In this section, I’ll also explain how to create an <em>SRK</em>.</p> <p>In this implementation, it looks for a previously created <em>RSA</em> key on each run. In real-world use, it’s more efficient to store its persistent handle value.</p> <p>Before calling the key-creation functions, make sure your authorization settings are in place, since these functions require authorization.</p> <h4> Authorization Settings </h4> <p>To set the auth value for an object handle, use <code>tr_set_auth()</code>.<br> <strong>If the auth value is an empty byte string, you can skip this call</strong>.<br> The official documentation states that the default auth value for hierarchy handles (and similar handles) is an empty byte string.<br> (Reference: <a href="https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf" rel="noopener noreferrer">TCG TPM v2.0 Provisioning Guidance (p.19, Owner Authorizations)</a>, <a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-1-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module 2.0 Library Part 1: Architecture (p.74, Owner Controls)</a>)</p> <p>To configure authorization sessions, use <code>set_sessions()</code>.<br> By default, a session is created with <code>with_continue_session(true)</code>, so it remain active even after the function succeeds.<br> If you want to use HMAC or policy authorization, you need to create a session with <code>start_auth_session()</code>.</p> <p>In the implementation, <code>execute_with_session()</code> is used to apply sessions only to the functions that need them.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmyub2qobkjmodp7qtsvn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmyub2qobkjmodp7qtsvn.png" alt=" " width="800" height="181"></a></p> <p>For <code>session_handles</code>, set the sessions to use for authorization.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9kja5sepd6asunzvl2v9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9kja5sepd6asunzvl2v9.png" width="800" height="170"></a></p> <p><code>Password</code> is used for simple <strong>password authorization only</strong>.</p> <p><code>HmacSession</code> derives an HMAC key by combining the session key and the object’s auth value. If both are empty, the HMAC key remains an empty byte string.<br> Even if both are empty, authorization still happens, but using an HMAC session is basically pointless for authorization alone in this case.<br> Using <code>Password</code> is usually a better choice here because it has lower communication overhead.<br> (Reference: <a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-1-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module Library Part 1: Architecture (p.125, No HMAC Authorization)</a>)</p> <blockquote> <p><strong>Note:</strong><br> The order of setting the auth value and the auth session does not matter, but both must be set before calling the target function.</p> </blockquote> <h4> Key Creation </h4> <p>Use <code>create_primary()</code> for the <em>SRK</em> and <code>create()</code> for the <em>RSA</em> key.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// SRK</span> <span class="k">let</span> <span class="n">key_result</span> <span class="o">=</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.execute_with_session</span><span class="p">(</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">AuthSession</span><span class="p">::</span><span class="n">Password</span><span class="p">),</span> <span class="c1">// Set a password session</span> <span class="p">|</span><span class="n">ctx</span><span class="p">|</span> <span class="p">{</span> <span class="c1">// Create a new SRK</span> <span class="n">ctx</span><span class="nf">.create_primary</span><span class="p">(</span> <span class="nn">Hierarchy</span><span class="p">::</span><span class="n">Owner</span><span class="p">,</span> <span class="nf">build_public</span><span class="p">(</span><span class="n">attrs</span><span class="p">,</span> <span class="n">params</span><span class="p">)</span><span class="o">?</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="p">)</span> <span class="p">},</span> <span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// RSA key</span> <span class="k">let</span> <span class="n">key_result</span> <span class="o">=</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.create</span><span class="p">(</span> <span class="n">hsrk</span><span class="nf">.into</span><span class="p">(),</span> <span class="nf">build_public</span><span class="p">(</span><span class="n">attrs</span><span class="p">,</span> <span class="n">params</span><span class="p">)</span><span class="o">?</span><span class="p">,</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Auth</span><span class="p">::</span><span class="nf">try_from</span><span class="p">(</span><span class="n">RSA_KEY_AUTH</span><span class="p">)</span><span class="o">?</span><span class="p">),</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="p">)</span><span class="o">?</span><span class="p">;</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frp84mikorxuldi48zoc9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frp84mikorxuldi48zoc9.png" width="800" height="253"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa8yer9jr32mlb1hr3v4v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa8yer9jr32mlb1hr3v4v.png" width="800" height="251"></a></p> <p>For <code>primary_handle</code> / <code>parent_handle</code>, pass the hierarchy handle / parent handle.<br> These functions require authorization for those handles.<br> For the <em>SRK</em>, pass the hierarchy you want to create it under (commonly the Owner hierarchy).<br> For the <em>RSA</em> key, pass the parent <em>SRK</em> handle.</p> <p>For <code>public</code>, pass an object’s public area as a <code>Public</code>.<br> You can choose the object type from <code>Rsa</code>, <code>KeyedHash</code>, <code>Ecc</code>, or <code>SymCipher</code>.</p> <p>For <code>auth_value</code>, pass the auth value for an object as a byte array.<br> If you pass <code>None</code>, it becomes an empty byte string.<br> In that code, <code>Auth::try_from()</code> accepts <code>&amp;[u8]</code> and <code>Vec&lt;u8&gt;</code>.</p> <p>For <code>initial_data</code> / <code>sensitive_data</code>, pass sensitive data as a byte array.<br> For a symmetric key, this value becomes the key material.<br> For an asymmetric key, you can’t provide the sensitive data from outside, so pass <code>None</code>.<br> Also, if you set <code>with_sensitive_data_origin(true)</code> in the object attributes, the sensitive data is generated inside the TPM (except the auth value), so pass <code>None</code>.</p> <p>For <code>outside_info</code>, pass extra data to include in the creation data as a byte array.<br> If you don’t need it, pass <code>None</code>.</p> <p>For <code>creation_pcrs</code>, pass PCR indices to include in the creation data.<br> You can use this to record the environment at creation time.<br> If you don’t need it, pass <code>None</code>.</p> <p>If you want to do this in the terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Default values are used for the object attributes, </span> <span class="c"># the Name hash algorithm, etc</span> <span class="c"># Create an SRK</span> <span class="c"># Save the created key to a context file with "-c"</span> tpm2_createprimary <span class="nt">-c</span> srk.ctx <span class="c"># Create and load an RSA key</span> <span class="c"># Specify the parent object (context file path or handle) with "-C"</span> <span class="c"># Set the object attributes with "-a"</span> <span class="c"># Set the algorithm with "-G" (&lt;type&gt;:&lt;scheme&gt;:&lt;symmetric-details&gt;)</span> <span class="c"># Set the auth value for the object with "-p"</span> <span class="c"># Load the created object and output it to a context file with "-c"</span> tpm2_create <span class="se">\</span> <span class="nt">-C</span> srk.ctx <span class="se">\</span> <span class="nt">-a</span> <span class="s2">"fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt"</span> <span class="se">\</span> <span class="nt">-G</span> rsa2048:oaep-sha256 <span class="se">\</span> <span class="nt">-p</span> AuthValue <span class="se">\</span> <span class="nt">-c</span> rsa.ctx <span class="c"># Using "-c" performs the same flow as tpm2_createloaded.</span> <span class="c"># If the TPM doesn't support it, the command returns an error.</span> </code></pre> </div> <ul> <li><a href="https://tpm2-tools.readthedocs.io/en/latest/man/tpm2_createprimary.1/" rel="noopener noreferrer"><em>tpm2_createprimary(1) - tpm2-tools</em></a></li> <li><a href="https://tpm2-tools.readthedocs.io/en/latest/man/tpm2_create.1/" rel="noopener noreferrer"><em>tpm2_create(1) - tpm2-tools</em></a></li> </ul> <h4> Key Loading </h4> <p>After creating the <em>RSA</em> key, you need to load it into the TPM.<br> However, <code>create_primary()</code> creates and loads a key, so you can skip this step.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// Load the created key into the TPM</span> <span class="n">ctx</span><span class="nf">.load</span><span class="p">(</span><span class="n">hsrk</span><span class="nf">.into</span><span class="p">(),</span> <span class="n">key_result</span><span class="py">.out_private</span><span class="p">,</span> <span class="n">key_result</span><span class="py">.out_public</span><span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffgl43ucawcwdhus410vp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffgl43ucawcwdhus410vp.png" width="800" height="192"></a></p> <p>For <code>parent_handle</code>, pass the parent handle used to load the created key.<br> The function requires authorization for this handle.<br> Pass the same handle you used as <code>parent_handle</code> in <code>create()</code>.</p> <p>For <code>private</code> and <code>public</code>, pass a created object's private and public parts.<br> You can take them from the return values of <code>create()</code>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdbs0uqqvdcnrcvmukqkn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdbs0uqqvdcnrcvmukqkn.png" width="800" height="256"></a></p> <p>For <code>private</code>, use <code>out_private</code>, for <code>public</code>, use <code>out_public</code>.</p> <p>If you want to do this in the terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create an RSA key</span> <span class="c"># Save the public part to a file with "-u"</span> <span class="c"># Save the private part to a file with "-r"</span> tpm2_create <span class="se">\</span> <span class="nt">-C</span> srk.ctx <span class="se">\</span> <span class="nt">-u</span> rsa.pub <span class="se">\</span> <span class="nt">-r</span> rsa.priv <span class="se">\</span> <span class="nt">-a</span> <span class="s2">"fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt"</span> <span class="se">\</span> <span class="nt">-G</span> rsa2048:oaep-sha256 <span class="se">\</span> <span class="nt">-p</span> AuthValue <span class="c"># Load the created key into the TPM</span> <span class="c"># Specify the saved public file with "-u"</span> <span class="c"># Specify the saved private file with "-r"</span> <span class="c"># Save the context file with "-c"</span> tpm2_load <span class="se">\</span> <span class="nt">-C</span> srk.ctx <span class="se">\</span> <span class="nt">-u</span> rsa.pub <span class="se">\</span> <span class="nt">-r</span> rsa.priv <span class="se">\</span> <span class="nt">-c</span> rsa.ctx </code></pre> </div> <p><a href="https://tpm2-tools.readthedocs.io/en/latest/man/tpm2_load.1/" rel="noopener noreferrer"><em>tpm2_load(1) - tpm2-tools</em></a></p> <h4> Key Persistence </h4> <p>To make a key persistent, use <code>evict_control()</code>.<br> The transient object is copied to a persistent handle.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">match</span> <span class="k">self</span> <span class="py">.ctx</span> <span class="c1">// Set a password session</span> <span class="nf">.execute_with_session</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="nn">AuthSession</span><span class="p">::</span><span class="n">Password</span><span class="p">),</span> <span class="p">|</span><span class="n">ctx</span><span class="p">|</span> <span class="p">{</span> <span class="c1">// Make the target object persistent</span> <span class="n">ctx</span><span class="nf">.evict_control</span><span class="p">(</span> <span class="nn">Provision</span><span class="p">::</span><span class="n">Owner</span><span class="p">,</span> <span class="n">handle</span><span class="p">,</span> <span class="nn">PersistentTpmHandle</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">value</span><span class="p">)</span><span class="o">?</span><span class="nf">.into</span><span class="p">(),</span> <span class="p">)</span> <span class="p">})</span> <span class="p">{</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgrxnl6r2yyb9molb6qkn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgrxnl6r2yyb9molb6qkn.png" width="800" height="190"></a></p> <p>For <code>auth</code>, pass the hierarchy authorization, <code>Owner</code> or <code>Platform</code>.<br> This function requires authorization for this handle.<br> If you use <code>Owner</code>, the persistent handle value must be in <strong>0x81000000–0x817FFFFF</strong>.<br> If you use <code>Platform</code>, it must be in <strong>0x81800000–0x81FFFFFF</strong>.</p> <p>For <code>object_handle</code>, pass the object handle to persist.<br> After creating a key, you can get a <code>KeyHandle</code> from the return value and convert it to an <code>ObjectHandle</code> with <code>into()</code>.<br> For <code>create_primary()</code>, it’s available as the <code>key_handle</code> field in the return value.</p> <p>For <code>persistent</code>, pass the destination persistent handle value (<strong>0x81000000–0x81FFFFFF</strong>).<br> If <code>object_handle</code> is a transient object, it's persisted under this handle value.<br> If it's already a persistent object, it's removed instead.</p> <p>If you want to do this in the terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Persist an object</span> <span class="c"># Specify the context file path (or handle value) of the target object with "-c"</span> <span class="c"># Specify the destination persistent handle as the last argument</span> tpm2_evictcontrol <span class="nt">-c</span> rsa.ctx 0x81000002 <span class="c"># If you don’t specify a persistent handle value, it's stored under an available handle value</span> </code></pre> </div> <p><a href="https://tpm2-tools.readthedocs.io/en/latest/man/tpm2_evictcontrol.1/" rel="noopener noreferrer"><em>tpm2_evictcontrol(1) - tpm2-tools</em></a></p> <h4> Removing Transient Objects </h4> <p>Even after you make an object persistent, the original transient object remains loaded.<br> Because the number of transient objects that can be loaded at the same time is limited, it’s best to remove any you no longer need.<br> With <code>swtpm</code>, I was able to keep up to three transient objects at once (this may vary depending on the environment or version).</p> <p><code>flush_context()</code> flushes the context associated with a loaded handle (e.g., a transient object or a session).<br> This function returns an error if an authorization session is applied.<br> </p> <p>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// Remove the transient object</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.flush_context</span><span class="p">(</span><span class="n">handle</span><span class="p">);</span> </code></pre> </div> <p>For <code>handle</code>, pass the handle of the object (or session) you want to remove.</p> <p>If you want to do this in the terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Specify the object to be removed as the last argument</span> tpm2_flushcontext 0x80000001 <span class="c"># Remove all transient objects with "-t"</span> tpm2_flushcontext <span class="nt">-t</span> </code></pre> </div> <p><a href="https://tpm2-tools.readthedocs.io/en/latest/man/tpm2_flushcontext.1/" rel="noopener noreferrer"><em>tpm2_flushcontext(1) - tpm2-tools</em></a> </p> <h4> Public Struct </h4> <p>In this implementation, I use <code>Rsa</code> as the object type.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgql7pyycm0inj5ih9xcp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgql7pyycm0inj5ih9xcp.png" alt=" " width="800" height="196"></a></p> <p>You can build a <code>Public</code> with <code>PublicBuilder</code> by setting the required fields.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// Build a Public struct</span> <span class="k">let</span> <span class="n">public</span> <span class="o">=</span> <span class="nn">PublicBuilder</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span> <span class="nf">.with_public_algorithm</span><span class="p">(</span><span class="nn">PublicAlgorithm</span><span class="p">::</span><span class="n">Rsa</span><span class="p">)</span> <span class="nf">.with_object_attributes</span><span class="p">(</span><span class="n">attrs</span><span class="p">)</span> <span class="nf">.with_name_hashing_algorithm</span><span class="p">(</span><span class="nn">HashingAlgorithm</span><span class="p">::</span><span class="n">Sha256</span><span class="p">)</span> <span class="nf">.with_rsa_parameters</span><span class="p">(</span><span class="n">params</span><span class="p">)</span> <span class="nf">.with_rsa_unique_identifier</span><span class="p">(</span><span class="nn">PublicKeyRsa</span><span class="p">::</span><span class="nf">default</span><span class="p">())</span> <span class="nf">.build</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> </code></pre> </div> <h5> object_attributes </h5> <p>For <code>object_attributes</code>, pass the object attributes with <code>ObjectAttributes</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// SRK attributes</span> <span class="k">let</span> <span class="n">attrs</span> <span class="o">=</span> <span class="nn">ObjectAttributesBuilder</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span> <span class="nf">.with_fixed_tpm</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.with_fixed_parent</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.with_no_da</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.with_restricted</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.with_user_with_auth</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.with_sensitive_data_origin</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.with_decrypt</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.build</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> <span class="c1">// RSA key attributes</span> <span class="k">let</span> <span class="n">attrs</span> <span class="o">=</span> <span class="nn">ObjectAttributesBuilder</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span> <span class="nf">.with_fixed_tpm</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.with_fixed_parent</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.with_user_with_auth</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.with_sensitive_data_origin</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.with_decrypt</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="nf">.build</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> </code></pre> </div> <p>In this code, the <em>SRK</em> attributes follow the guidance for a shared <em>SRK</em>.<br> Since it’s intended to be usable by multiple applications, the guidance recommends setting <code>noDA</code> and leaving the auth policy empty (and typically using an all-zero auth value).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsk5lcjzcerwa6vtnjfb4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsk5lcjzcerwa6vtnjfb4.png" width="800" height="254"></a></p> <p>When creating an asymmetric key, you need to set <code>with_sensitive_data_origin(true)</code>, and you can't provide sensitive data from outside the TPM.<br> (Reference: <a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-1-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module Library Part 1: Architecture (p.183 sensitiveDataOrigin)</a>)</p> <blockquote> <p><strong>Note:</strong><br> If <code>with_user_with_auth(false)</code> is set, you can’t use password or HMAC authorization for that object.<br> (Reference: <a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-1-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module Library Part 1: Architecture (p.184 userWithAuth)</a>)</p> </blockquote> <h5> name_hashing_algorithm </h5> <p>For <code>name_hashing_algorithm</code>, pass the hash algorithm used to compute the object’s Name.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw1ps30cpw2hqse81319i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw1ps30cpw2hqse81319i.png" width="800" height="333"></a></p> <p>For now, <code>Sha256</code> is widely supported and recommended from a security standpoint.</p> <h5> auth_policy </h5> <p>For <code>auth_policy</code>, pass the policy digest to set on the object as a byte array.<br><br> You can use it to restrict how the object can be used.<br> If you don’t need a policy, pass <code>Digest::default()</code>.</p> <h5> parameters </h5> <p>For <code>parameters</code>, pass the internal parameters for the selected object type as <code>PublicRsaParameters</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// SRK parameters</span> <span class="k">let</span> <span class="n">params</span> <span class="o">=</span> <span class="nn">PublicRsaParametersBuilder</span><span class="p">::</span><span class="nf">new_restricted_decryption_key</span><span class="p">(</span> <span class="nn">SymmetricDefinitionObject</span><span class="p">::</span><span class="n">AES_128_CFB</span><span class="p">,</span> <span class="nn">RsaKeyBits</span><span class="p">::</span><span class="n">Rsa2048</span><span class="p">,</span> <span class="nn">RsaExponent</span><span class="p">::</span><span class="n">ZERO_EXPONENT</span><span class="p">,</span> <span class="p">)</span> <span class="nf">.build</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> <span class="c1">// RSA key parameters</span> <span class="k">let</span> <span class="n">hash_algo</span> <span class="o">=</span> <span class="nn">HashScheme</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HashingAlgorithm</span><span class="p">::</span><span class="n">Sha256</span><span class="p">);</span> <span class="k">let</span> <span class="n">params</span> <span class="o">=</span> <span class="nn">PublicRsaParametersBuilder</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span> <span class="nf">.with_scheme</span><span class="p">(</span><span class="nn">RsaScheme</span><span class="p">::</span><span class="nf">Oaep</span><span class="p">(</span><span class="n">hash_algo</span><span class="p">))</span> <span class="nf">.with_key_bits</span><span class="p">(</span><span class="nn">RsaKeyBits</span><span class="p">::</span><span class="n">Rsa2048</span><span class="p">)</span> <span class="nf">.with_exponent</span><span class="p">(</span><span class="nn">RsaExponent</span><span class="p">::</span><span class="n">ZERO_EXPONENT</span><span class="p">)</span> <span class="nf">.build</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> </code></pre> </div> <p><code>new_restricted_decryption_key()</code> provides parameters typically used for an <em>SRK</em>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk8tc8e8rqf1vosqktrgp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk8tc8e8rqf1vosqktrgp.png" width="800" height="139"></a></p> <p>For <code>symmetric</code>, pass the symmetric algorithm to wrap (protect) child keys.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1gofazj1kqgievgjoor9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1gofazj1kqgievgjoor9.png" width="800" height="448"></a></p> <p>You can also choose one of the constants <code>AES_128_CFB</code>, <code>AES_256_CFB</code>, or <code>SM4_128_CFB</code>.<br> For most use cases, <code>AES_128_CFB</code> is a reasonable default.</p> <p>For <code>key_bits</code>, pass a key size (in bits).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fakfgasvsh4m25mt0t32y.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fakfgasvsh4m25mt0t32y.png" width="800" height="194"></a></p> <p>For now, <code>Rsa2048</code> or higher is recommended.</p> <p>For <code>exponent</code>, pass a public exponent.<br> <code>ZERO_EXPONENT</code> means you pass <strong>0</strong>, which the TPM treats as <strong>65537 (2^16 + 1)</strong>.</p> <p>For an <em>RSA</em> key, you set the scheme (padding) instead of a symmetric algorithm.<br> You can choose from <code>Oaep</code>, <code>RsaEs</code>, or <code>Null</code>.<br> <code>Oaep</code> is recommended, and in that case you also need to set a hash algorithm.</p> <h5> unique </h5> <p>For <code>unique</code>, pass bytes that uniquely identify the public area.</p> <p>When creating a key, this field is filled with a value generated inside the TPM (for an asymmetric key, it’s the public key), so any value you pass here is ignored.<br> You need to set it when loading an external key, for example.<br> If you don’t need it, use <code>PublicKeyRsa::default()</code>.</p> <p>🔗 References:</p> <ul> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-3-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module Library Part 3: Commands (p.63 TPM2_Create)</a></li> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-3-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module Library Part 3: Commands (p.250 TPM2_CreatePrimary)</a></li> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-3-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module Library Part 3: Commands (p.299 TPM2_EvictControl)</a></li> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-3-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module Library Part 3: Commands (p.297 TPM2_FlushContext)</a></li> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-1-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module Library Part 1: Architecture (p.185 PublicArea)</a></li> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-2-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module Library Part 2: Structures (p.183 TPMS_RSA_PARMS)</a></li> </ul> <h3> 6. Wrap the Key </h3> <p>Now we’re finally at the key-wrapping step!</p> <p>The implementation uses an HMAC session.<br> Since plaintext is sent to the TPM during key wrapping, it's recommended to set the <code>decrypt</code> attribute.<br> This attribute encrypts the first function argument before sending it to the TPM, but only if that argument is a size-prefixed buffer.</p> <h4> HMAC session creation </h4> <p><code>start_auth_session()</code> creates an authentication session.<br> <code>execute_with_nullauth_session()</code> internally uses this function to create an HMAC session with the <code>decrypt</code> and <code>encrypt</code> attributes set.<br> Unless you need more fine-grained control, it's easier to use this function.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftj4u4xxwgo493okjxpx5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftj4u4xxwgo493okjxpx5.png" alt=" " width="800" height="126"></a></p> <p>This function uses AES-128 in CFB mode as the symmetric algorithm and SHA-256 as the hash algorithm.</p> <p>If you want to do this in the terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create an HMAC session</span> <span class="c"># Save the session context to a file with "-S"</span> tpm2_startauthsession <span class="nt">--hmac-session</span> <span class="nt">-S</span> hmacsession.ctx <span class="c"># Add attributes to the session</span> <span class="c"># Update the session context file in place</span> tpm2_sessionconfig <span class="nt">--enable-decrypt</span> <span class="nt">--enable-encrypt</span> hmacsession.ctx <span class="c"># Check the current session data</span> tpm2_sessionconfig hmacsession.ctx </code></pre> </div> <ul> <li><a href="https://tpm2-tools.readthedocs.io/en/latest/man/tpm2_startauthsession.1/" rel="noopener noreferrer"><em>tpm2_startauthsession(1) - tpm2-tools</em></a></li> <li><a href="https://tpm2-tools.readthedocs.io/en/latest/man/tpm2_sessionconfig.1/" rel="noopener noreferrer"><em>tpm2_sessionconfig(1) - tpm2-tools</em></a></li> </ul> <blockquote> <p><strong>Note:</strong><br> If a session isn't used for authorization, you must set at least one session attribute.<br> (Here, "session attributes" refers only to decrypt, encrypt, and audit.)<br> Depending on the function, the session may not be usable, or only specific attributes may be allowed. For functions that don't require authorization, you can't use a password session.</p> </blockquote> <h4> Key Wrapping </h4> <p>To encrypt (wrap) with an <em>RSA</em> key, use <code>rsa_encrypt()</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// Wrap the target key</span> <span class="k">let</span> <span class="n">wrapped_key</span> <span class="o">=</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.execute_with_nullauth_session</span><span class="p">(|</span><span class="n">ctx</span><span class="p">|</span> <span class="p">{</span> <span class="n">ctx</span><span class="nf">.rsa_encrypt</span><span class="p">(</span> <span class="n">hrsa</span><span class="nf">.into</span><span class="p">(),</span> <span class="nn">PublicKeyRsa</span><span class="p">::</span><span class="nf">try_from</span><span class="p">(</span><span class="n">target_key</span><span class="nf">.as_slice</span><span class="p">())</span><span class="o">?</span><span class="p">,</span> <span class="nn">RsaDecryptionScheme</span><span class="p">::</span><span class="n">Null</span><span class="p">,</span> <span class="nn">Data</span><span class="p">::</span><span class="nf">default</span><span class="p">(),</span> <span class="p">)</span> <span class="p">})</span><span class="o">?</span><span class="p">;</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fol6dkc9zyrmmf0imnwc8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fol6dkc9zyrmmf0imnwc8.png" width="800" height="224"></a></p> <p>For <code>key_handle</code>, pass the handle of the key object used for encryption.</p> <p>For <code>message</code>, pass the data you want to encrypt as a byte array.</p> <p>For <code>in_scheme</code>, pass the padding scheme.<br> If the object specified by <code>key_handle</code> has a scheme other than <code>Null</code>, pass either the same scheme or <code>Null</code>. If the object’s scheme is <code>Null</code>, the scheme you pass here will be used.</p> <p>For <code>label</code>, pass the data to put into OAEP’s L parameter as a byte array.<br> If you provide a non-empty label, the last byte must be <strong>0</strong>.<br> If you don’t need it, pass Data::default().</p> <p>If you want to do this in the terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Specify the key context file (or handle value) with "-c"</span> <span class="c"># Specify the padding scheme with "-s" (default: RSAES_PKCSV1.5)</span> <span class="c"># Save the encrypted output to a file with "-o" (otherwise it goes to stdout)</span> <span class="c"># Specify the file to be encrypted as the last argument</span> tpm2_rsaencrypt <span class="se">\</span> <span class="nt">-c</span> rsa.ctx <span class="se">\</span> <span class="nt">-s</span> null <span class="se">\</span> <span class="nt">-o</span> msg.enc <span class="se">\</span> msg.ptext </code></pre> </div> <p><a href="https://tpm2-tools.readthedocs.io/en/latest/man/tpm2_rsaencrypt.1/" rel="noopener noreferrer"><em>tpm2_rsaencrypt(1) - tpm2-tools</em></a></p> <p>🔗 References:</p> <ul> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-3-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module Library Part 3: Commands (p.95 TPM2_RSA_Encrypt)</a></li> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/TSS_ESAPI_v1p0_r14_pub10012021.pdf" rel="noopener noreferrer">TCG TSS 2.0 Enhanced System API (ESAPI) Specification (p.50 Esys_StartAuthSession Commands)</a></li> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-1-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module Library Part 1: Architecture (p.115 HMAC Computation)</a></li> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-1-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module Library Part 1: Architecture (p.100 Session Attributes)</a></li> </ul> <h3> Unwrap the Key </h3> <p>To decrypt (unwrap) with an <em>RSA</em> key, use <code>rsa_decrypt()</code>.<br><br> This function requires authorization, so you need to configurate authorization in place before calling it.</p> <h4> Authorization Settings </h4> <p>Authorization is required for the <em>RSA</em> key used for decryption.<br> To set its auth value, use <code>tr_set_auth()</code>. You can skip this if the auth value is an empty byte string.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// Set the auth value for the object</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.tr_set_auth</span><span class="p">(</span><span class="n">hrsa</span><span class="p">,</span> <span class="nn">Auth</span><span class="p">::</span><span class="nf">try_from</span><span class="p">(</span><span class="n">RSA_KEY_AUTH</span><span class="p">)</span><span class="o">?</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// The auth value isn't validated here.</span> <span class="c1">// It's verified when you run a function that requires authorization.</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqfo4b7cac8x7lrfeqj2i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqfo4b7cac8x7lrfeqj2i.png" width="800" height="145"></a></p> <p>For <code>object_handle</code>, pass the object handle you want to set the auth value for.</p> <p>For <code>auth</code>, pass the auth value for the target object as a byte array.</p> <p>Since unwrapped data is sent back from the TPM, it's recommended to set the <code>encrypt</code> attribute on the session.<br> As with encryption, the implementation uses <code>execute_with_nullauth_session()</code>.</p> <h4> Key Unwrapping </h4> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmhri0d21pjnr050gsxir.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmhri0d21pjnr050gsxir.png" width="800" height="223"></a></p> <p>For <code>cipher_text</code>, pass the data you want to decrypt as a byte array.</p> <p>For the rest of the parameters, pass the same values you used in the encryption step.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// Unwrap the target key</span> <span class="k">let</span> <span class="n">unwrapped_key</span> <span class="o">=</span> <span class="k">self</span><span class="py">.ctx</span><span class="nf">.execute_with_nullauth_session</span><span class="p">(|</span><span class="n">ctx</span><span class="p">|</span> <span class="p">{</span> <span class="n">ctx</span><span class="nf">.rsa_decrypt</span><span class="p">(</span> <span class="n">hrsa</span><span class="nf">.into</span><span class="p">(),</span> <span class="nn">PublicKeyRsa</span><span class="p">::</span><span class="nf">try_from</span><span class="p">(</span><span class="n">target_key</span><span class="p">)</span><span class="o">?</span><span class="p">,</span> <span class="nn">RsaDecryptionScheme</span><span class="p">::</span><span class="n">Null</span><span class="p">,</span> <span class="nn">Data</span><span class="p">::</span><span class="nf">default</span><span class="p">(),</span> <span class="p">)</span> <span class="p">})</span><span class="o">?</span><span class="p">;</span> </code></pre> </div> <p>If you want to do this in the terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Specify the key context file (or handle value) with "-c"</span> <span class="c"># Set the auth value for the specified key with "-p"</span> <span class="c"># (you can also combine it with a session using the "session:" prefix)</span> <span class="c"># Specify the padding scheme with "-s" (default: RSAES_PKCSV1.5)</span> <span class="c"># Save the decrypted data to a file with "-o" (otherwise it goes to stdout)</span> <span class="c"># Specify the file to be decrypted as the last argument</span> tpm2_rsadecrypt <span class="se">\</span> <span class="nt">-c</span> rsa.ctx <span class="se">\</span> <span class="nt">-p</span> session:hmacsession.ctx+AuthValue <span class="se">\</span> <span class="nt">-s</span> null <span class="se">\</span> <span class="nt">-o</span> msg.ptext <span class="se">\</span> msg.enc </code></pre> </div> <p><a href="https://tpm2-tools.readthedocs.io/en/latest/man/tpm2_rsadecrypt.1/" rel="noopener noreferrer"><em>tpm2_rsadecrypt(1) - tpm2-tools</em></a></p> <p>🔗 Reference:</p> <ul> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-3-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module Library Part 3: Commands (p.98 TPM2_RSA_Decrypt)</a></li> </ul> <h3> Shut Down the TPM </h3> <p>To shut down the TPM, use <code>shutdown()</code>.<br> With a hardware TPM, the platform often sends <code>TPM2_Shutdown()</code> as part of power-state transitions, so you may not need to call it yourself.<br> (Reference: <a href="https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-TPM-Profile-for-TPM-2p0-Version-1p06_pub.pdf" rel="noopener noreferrer">TCG PC Client Platform TPM Profile Specification for TPM 2.0 (p.31 Power Management)</a>)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// Shut down the TPM with Clear</span> <span class="n">ctx</span><span class="nf">.shutdown</span><span class="p">(</span><span class="nn">StartupType</span><span class="p">::</span><span class="n">Clear</span><span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzo6r9pf9jvnrf0177dwy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzo6r9pf9jvnrf0177dwy.png" width="800" height="62"></a></p> <p>For <code>shutdown_type</code>, pass either <code>Clear</code> or <code>State</code>.<br> With <code>Clear</code>, the TPM discards the current volatile state.<br> With <code>State</code>, the TPM saves the current volatile state, and how it is restored depends on the argument you pass to <code>startup()</code> next time.</p> <p>If you want to do this in the terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Shut down with State</span> tpm2_shutdown <span class="c"># Shut down with Clear</span> tpm2_shutdown <span class="nt">-c</span> </code></pre> </div> <p><a href="https://tpm2-tools.readthedocs.io/en/latest/man/tpm2_shutdown.1/" rel="noopener noreferrer"><em>tpm2_shutdown(1) - tpm2-tools</em></a></p> <p>🔗 Reference:</p> <ul> <li><a href="https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-3-Version-184_pub.pdf" rel="noopener noreferrer">Trusted Platform Module Library Part 3: Commands (p.46 TPM2_Shutdown)</a></li> </ul> <h3> Remove a Persistent Key </h3> <p>To remove a persistent key, use <code>evict_control()</code>.</p> <p>You also use this function to make a key persistent, but for removal you specify the persistent object you want to remove, and you pass the same persistent handle value.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="k">self</span> <span class="py">.ctx</span> <span class="c1">// Set a password session</span> <span class="nf">.execute_with_session</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="nn">AuthSession</span><span class="p">::</span><span class="n">Password</span><span class="p">),</span> <span class="p">|</span><span class="n">ctx</span><span class="p">|</span> <span class="p">{</span> <span class="c1">// Remove the persistent object</span> <span class="n">ctx</span><span class="nf">.evict_control</span><span class="p">(</span> <span class="nn">Provision</span><span class="p">::</span><span class="n">Owner</span><span class="p">,</span> <span class="n">handle</span><span class="p">,</span> <span class="nn">PersistentTpmHandle</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">value</span><span class="p">)</span><span class="o">?</span><span class="nf">.into</span><span class="p">(),</span> <span class="p">)</span> <span class="p">})</span><span class="o">?</span><span class="p">;</span> </code></pre> </div> <h3> Clear the TPM </h3> <p>To clear the TPM state — including objects stored under the Storage/Endorsement hierarchies — use <code>clear()</code>.<br> This function requires authorization, so make sure your authorization settings are in place before calling it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">fn</span> <span class="nf">clear_tpm</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// If the auth value is non-empty, set it with `tr_set_auth()`.</span> <span class="k">self</span><span class="py">.ctx</span> <span class="c1">// Set a password session</span> <span class="nf">.execute_with_session</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="nn">AuthSession</span><span class="p">::</span><span class="n">Password</span><span class="p">),</span> <span class="p">|</span><span class="n">ctx</span><span class="p">|</span> <span class="p">{</span> <span class="c1">// Clear the TPM</span> <span class="n">ctx</span><span class="nf">.clear</span><span class="p">(</span><span class="nn">AuthHandle</span><span class="p">::</span><span class="n">Lockout</span><span class="p">)</span> <span class="p">})</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsekj9d3vn0yewlf5k24n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsekj9d3vn0yewlf5k24n.png" width="800" height="62"></a></p> <p>For <code>auth_handle</code>, pass the authorization handle, either <code>Lockout</code> or <code>Platform</code>.<br> If you use <code>Platform</code>, physical presence may be required depending on the platform/firmware configuration.</p> <p>If you want to do this in the terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># This example uses the Platform hierarchy for authorization</span> <span class="c"># Specify the hierarchy used for authorization with "-c" (default: lockout)</span> <span class="c"># Provide the auth value for specified hierarch as the last argument</span> tpm2_clear <span class="nt">-c</span> p &lt;platformAuth&gt; </code></pre> </div> <p><a href="https://tpm2-tools.readthedocs.io/en/latest/man/tpm2_clear.1/" rel="noopener noreferrer"><em>tpm2_clear(1) - tpm2-tools</em></a></p> <h3> About tpm2-tss Logs </h3> <p>If you see log messages from <code>tpm2-tss</code> (included in <code>libtss2-dev</code>), you can adjust the log level using environment variables.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Disable all log output</span> <span class="nb">export </span><span class="nv">TSS2_LOG</span><span class="o">=</span>all+NONE <span class="c"># Show only ERROR and above</span> <span class="nb">export </span><span class="nv">TSS2_LOG</span><span class="o">=</span>all+ERROR <span class="c"># Write logs to a file</span> <span class="nb">export </span><span class="nv">TSS2_LOGFILE</span><span class="o">=</span>tss.log </code></pre> </div> <h2> Final Thoughts </h2> <p>It was my first time using Ubuntu.<br> It made it really easy to set up a Linux environment.</p> <p>For this implementation, <code>tss-esapi</code> is a much lower-level API than NCrypt, which I used on Windows, so it was much more challenging.</p> <p>While writing this explanation, I didn’t just read the docs. I also tried a lot of things myself along the way.<br> Because of that, it ended up taking me more than a month to finish this article...</p> <p>It was tough, but it was also more fun to write than I expected!</p> <p>Thanks for reading!</p> rust linux ubuntu security How I Used TPM for Key Encryption in Rust (Using Windows APIs) tsuruko Tue, 07 Oct 2025 14:48:59 +0000 https://dev.to/tsuruko12/how-i-used-tpm-for-key-encryption-in-rust-using-windows-apis-33n0 https://dev.to/tsuruko12/how-i-used-tpm-for-key-encryption-in-rust-using-windows-apis-33n0 <p>I implemented TPM-based key wrapping on <strong>Windows</strong> using the <code>windows-sys</code> crate.<br> (Linux version: <a href="https://dev.to/tsuruko12/how-i-used-tpm-for-key-encryption-in-rust-on-linux-hardware-tpm-vtpm-4ond">How I Used TPM for Key Encryption in Rust on Linux (Hardware TPM &amp; vTPM)</a>)</p> <p>At first, I tried key wrapping with <code>tss-esapi</code>, but since it's designed for <strong>Linux</strong>, using it on <strong>Windows</strong> would have required a more complex setup.<br> So I chose <code>windows-sys</code> for this implementation.</p> <p>In this article, I’ll walk you through the key-wrapping implementation and explain how it works!</p> <h2> Table of Contents </h2> <ul> <li>Cargo.toml</li> <li>Implementation</li> <li>Error Codes</li> <li> Explanation <ul> <li>1. Open the TPM Provider</li> <li>2. Create a Persistent Key (If It Doesn't Exist)</li> <li>3. Get a Key from the Provider</li> <li>4. Get the Encrypted Data Size</li> <li>5. Wrap the Key</li> <li>Unwrap the Key</li> <li>Checking and Setting Key Properties</li> <li>Delete Registered Key</li> </ul> </li> <li>Final Thoughts</li> </ul> <h2> Cargo.toml </h2> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[dependencies]</span> <span class="py">getrandom</span> <span class="p">=</span> <span class="s">"0.4"</span> <span class="py">windows-sys</span> <span class="o">=</span> <span class="p">{</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"0.61"</span><span class="p">,</span> <span class="py">features</span> <span class="p">=</span> <span class="p">[</span> <span class="s">"Win32_Security_Cryptography"</span><span class="p">,</span> <span class="s">"Win32_Foundation"</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="py">zeroize</span> <span class="p">=</span> <span class="s">"1.8"</span> </code></pre> </div> <h2> Implementation </h2> <p>This crate uses FFI, so you'll need to call the Windows APIs inside an <code>unsafe</code> block.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">std</span><span class="p">::{</span><span class="nn">ffi</span><span class="p">::</span><span class="n">OsStr</span><span class="p">,</span> <span class="nn">os</span><span class="p">::</span><span class="nn">windows</span><span class="p">::</span><span class="nn">ffi</span><span class="p">::</span><span class="n">OsStrExt</span><span class="p">,</span> <span class="n">ptr</span><span class="p">};</span> <span class="k">use</span> <span class="nn">windows_sys</span><span class="p">::{</span> <span class="nn">core</span><span class="p">::</span><span class="n">HRESULT</span><span class="p">,</span> <span class="nn">Win32</span><span class="p">::{</span> <span class="nn">Foundation</span><span class="p">::</span><span class="n">NTE_BAD_KEYSET</span><span class="p">,</span> <span class="nn">Security</span><span class="p">::</span><span class="nn">Cryptography</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="p">},</span> <span class="p">};</span> <span class="k">use</span> <span class="nn">zeroize</span><span class="p">::</span><span class="n">Zeroizing</span><span class="p">;</span> <span class="k">type</span> <span class="n">TpmResult</span><span class="o">&lt;</span><span class="n">T</span><span class="o">&gt;</span> <span class="o">=</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">T</span><span class="p">,</span> <span class="n">HRESULT</span><span class="o">&gt;</span><span class="p">;</span> <span class="k">const</span> <span class="n">KEY_NAME</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span> <span class="o">=</span> <span class="s">"RSA_KEY"</span><span class="p">;</span> <span class="k">fn</span> <span class="nf">to_utf16</span><span class="p">(</span><span class="n">s</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">u16</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">utf16</span><span class="p">:</span> <span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">u16</span><span class="o">&gt;</span> <span class="o">=</span> <span class="nn">OsStr</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">s</span><span class="p">)</span><span class="nf">.encode_wide</span><span class="p">()</span><span class="nf">.collect</span><span class="p">();</span> <span class="n">utf16</span><span class="nf">.push</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="n">utf16</span> <span class="p">}</span> <span class="k">struct</span> <span class="n">KeyWrapper</span> <span class="p">{</span> <span class="n">hprov</span><span class="p">:</span> <span class="n">NCRYPT_PROV_HANDLE</span><span class="p">,</span> <span class="n">hkey</span><span class="p">:</span> <span class="n">NCRYPT_KEY_HANDLE</span><span class="p">,</span> <span class="p">}</span> <span class="k">impl</span> <span class="nb">Drop</span> <span class="k">for</span> <span class="n">KeyWrapper</span> <span class="p">{</span> <span class="k">fn</span> <span class="nf">drop</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="k">self</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Free retrieved provider and key handles</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="k">if</span> <span class="k">self</span><span class="py">.hkey</span> <span class="o">!=</span> <span class="mi">0</span> <span class="p">{</span> <span class="nf">NCryptFreeObject</span><span class="p">(</span><span class="k">self</span><span class="py">.hkey</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span> <span class="k">self</span><span class="py">.hprov</span> <span class="o">!=</span> <span class="mi">0</span> <span class="p">{</span> <span class="nf">NCryptFreeObject</span><span class="p">(</span><span class="k">self</span><span class="py">.hprov</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// The target key is 32 bytes (AES-256), which is generally recommended</span> <span class="c1">// The status is an i32 (HRESULT) value, </span> <span class="c1">// and 0 means the function was successful</span> <span class="k">impl</span> <span class="n">KeyWrapper</span> <span class="p">{</span> <span class="k">fn</span> <span class="nf">open</span><span class="p">(</span><span class="n">key_name</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">TpmResult</span><span class="o">&lt;</span><span class="k">Self</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">hprov</span><span class="p">:</span> <span class="n">NCRYPT_PROV_HANDLE</span> <span class="o">=</span> <span class="k">Self</span><span class="p">::</span><span class="nf">open_provider</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">key_name_utf16</span> <span class="o">=</span> <span class="nf">to_utf16</span><span class="p">(</span><span class="n">key_name</span><span class="p">);</span> <span class="k">let</span> <span class="n">hkey</span> <span class="o">=</span> <span class="k">match</span> <span class="k">Self</span><span class="p">::</span><span class="nf">retrieve_key</span><span class="p">(</span><span class="n">hprov</span><span class="p">,</span> <span class="n">key_name_utf16</span><span class="p">)</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">h</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="n">h</span><span class="p">,</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NCryptFreeObject</span><span class="p">(</span><span class="n">hprov</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">Self</span> <span class="p">{</span> <span class="n">hprov</span><span class="p">,</span> <span class="n">hkey</span> <span class="p">})</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">open_provider</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="n">TpmResult</span><span class="o">&lt;</span><span class="n">NCRYPT_PROV_HANDLE</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">hprov</span><span class="p">:</span> <span class="n">NCRYPT_PROV_HANDLE</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NCryptOpenStorageProvider</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">hprov</span><span class="p">,</span> <span class="n">MS_PLATFORM_CRYPTO_PROVIDER</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="p">};</span> <span class="k">if</span> <span class="n">status</span> <span class="o">!=</span> <span class="mi">0</span> <span class="p">{</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Failed to open the storage provider"</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="n">status</span><span class="p">);</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">hprov</span><span class="p">)</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">retrieve_key</span><span class="p">(</span><span class="n">hprov</span><span class="p">:</span> <span class="n">NCRYPT_PROV_HANDLE</span><span class="p">,</span> <span class="n">key_name</span><span class="p">:</span> <span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">u16</span><span class="o">&gt;</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">TpmResult</span><span class="o">&lt;</span><span class="n">NCRYPT_KEY_HANDLE</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">hkey</span><span class="p">:</span> <span class="n">NCRYPT_KEY_HANDLE</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NCryptOpenKey</span><span class="p">(</span><span class="n">hprov</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">hkey</span><span class="p">,</span> <span class="n">key_name</span><span class="nf">.as_ptr</span><span class="p">(),</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="p">};</span> <span class="k">match</span> <span class="n">status</span> <span class="p">{</span> <span class="mi">0</span> <span class="k">=&gt;</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">hkey</span><span class="p">),</span> <span class="n">NTE_BAD_KEYSET</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="c1">// If no key with that name exists</span> <span class="nd">println!</span><span class="p">(</span><span class="s">""</span><span class="p">);</span> <span class="k">Self</span><span class="p">::</span><span class="nf">create_rsa_key</span><span class="p">(</span><span class="n">hprov</span><span class="p">,</span> <span class="n">key_name</span><span class="p">)</span> <span class="p">}</span> <span class="n">_</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Failed to retrieve the key"</span><span class="p">);</span> <span class="nf">Err</span><span class="p">(</span><span class="n">status</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">create_padding_info</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="n">BCRYPT_OAEP_PADDING_INFO</span> <span class="p">{</span> <span class="n">BCRYPT_OAEP_PADDING_INFO</span> <span class="p">{</span> <span class="n">pszAlgId</span><span class="p">:</span> <span class="n">BCRYPT_SHA256_ALGORITHM</span><span class="p">,</span> <span class="n">pbLabel</span><span class="p">:</span> <span class="nn">ptr</span><span class="p">::</span><span class="nf">null_mut</span><span class="p">(),</span> <span class="n">cbLabel</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">create_rsa_key</span><span class="p">(</span> <span class="n">hprov</span><span class="p">:</span> <span class="n">NCRYPT_PROV_HANDLE</span><span class="p">,</span> <span class="n">key_name</span><span class="p">:</span> <span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">u16</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="n">TpmResult</span><span class="o">&lt;</span><span class="n">NCRYPT_KEY_HANDLE</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">hkey</span><span class="p">:</span> <span class="n">NCRYPT_KEY_HANDLE</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="c1">// Create a persistent RSA key with the given name</span> <span class="nf">NCryptCreatePersistedKey</span><span class="p">(</span> <span class="n">hprov</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">hkey</span><span class="p">,</span> <span class="n">BCRYPT_RSA_ALGORITHM</span><span class="p">,</span> <span class="n">key_name</span><span class="nf">.as_ptr</span><span class="p">(),</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="p">)</span> <span class="p">};</span> <span class="k">if</span> <span class="n">status</span> <span class="o">!=</span> <span class="mi">0</span> <span class="p">{</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Failed to create the RSA key"</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="n">status</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Finalize the key for use</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NCryptFinalizeKey</span><span class="p">(</span><span class="n">hkey</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="p">};</span> <span class="k">if</span> <span class="n">status</span> <span class="o">!=</span> <span class="mi">0</span> <span class="p">{</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Failed to finalize the key"</span><span class="p">);</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NCryptFreeObject</span><span class="p">(</span><span class="n">hkey</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="n">status</span><span class="p">);</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">hkey</span><span class="p">)</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">wrap_key</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">target_key</span><span class="p">:</span> <span class="p">[</span><span class="nb">u8</span><span class="p">;</span> <span class="mi">32</span><span class="p">])</span> <span class="k">-&gt;</span> <span class="n">TpmResult</span><span class="o">&lt;</span><span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">u8</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">target_key</span> <span class="o">=</span> <span class="nn">Zeroizing</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">target_key</span><span class="p">);</span> <span class="k">let</span> <span class="n">padding_info</span> <span class="o">=</span> <span class="k">Self</span><span class="p">::</span><span class="nf">create_padding_info</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">size</span><span class="p">:</span> <span class="nb">u32</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="c1">// Get the required output size if needed</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NCryptEncrypt</span><span class="p">(</span> <span class="k">self</span><span class="py">.hkey</span><span class="p">,</span> <span class="n">target_key</span><span class="nf">.as_ptr</span><span class="p">(),</span> <span class="n">target_key</span><span class="nf">.len</span><span class="p">()</span> <span class="k">as</span> <span class="nb">u32</span><span class="p">,</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">padding_info</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="n">BCRYPT_OAEP_PADDING_INFO</span><span class="p">)</span><span class="nf">.cast</span><span class="p">(),</span> <span class="nn">ptr</span><span class="p">::</span><span class="nf">null_mut</span><span class="p">(),</span> <span class="mi">0</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">size</span><span class="p">,</span> <span class="n">NCRYPT_PAD_OAEP_FLAG</span><span class="p">,</span> <span class="p">)</span> <span class="p">};</span> <span class="k">if</span> <span class="n">status</span> <span class="o">!=</span> <span class="mi">0</span> <span class="p">{</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Failed to get the required output size"</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="n">status</span><span class="p">);</span> <span class="p">}</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">wrapped_key</span> <span class="o">=</span> <span class="nd">vec!</span><span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="n">size</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">];</span> <span class="c1">// Wrap the target key</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NCryptEncrypt</span><span class="p">(</span> <span class="k">self</span><span class="py">.hkey</span><span class="p">,</span> <span class="n">target_key</span><span class="nf">.as_ptr</span><span class="p">(),</span> <span class="n">target_key</span><span class="nf">.len</span><span class="p">()</span> <span class="k">as</span> <span class="nb">u32</span><span class="p">,</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">padding_info</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="n">BCRYPT_OAEP_PADDING_INFO</span><span class="p">)</span><span class="nf">.cast</span><span class="p">(),</span> <span class="n">wrapped_key</span><span class="nf">.as_mut_ptr</span><span class="p">(),</span> <span class="n">size</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">size</span><span class="p">,</span> <span class="n">NCRYPT_PAD_OAEP_FLAG</span><span class="p">,</span> <span class="p">)</span> <span class="p">};</span> <span class="k">if</span> <span class="n">status</span> <span class="o">!=</span> <span class="mi">0</span> <span class="p">{</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Failed to wrap the key"</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="n">status</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Truncate to the actual size</span> <span class="n">wrapped_key</span><span class="nf">.truncate</span><span class="p">(</span><span class="n">size</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">wrapped_key</span><span class="p">)</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">unwrap_key</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">target_key</span><span class="p">:</span> <span class="o">&amp;</span><span class="p">[</span><span class="nb">u8</span><span class="p">])</span> <span class="k">-&gt;</span> <span class="n">TpmResult</span><span class="o">&lt;</span><span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">u8</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">padding_info</span> <span class="o">=</span> <span class="k">Self</span><span class="p">::</span><span class="nf">create_padding_info</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">size</span><span class="p">:</span> <span class="nb">u32</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="c1">// Get the required output size if needed</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NCryptDecrypt</span><span class="p">(</span> <span class="k">self</span><span class="py">.hkey</span><span class="p">,</span> <span class="n">target_key</span><span class="nf">.as_ptr</span><span class="p">(),</span> <span class="n">target_key</span><span class="nf">.len</span><span class="p">()</span> <span class="k">as</span> <span class="nb">u32</span><span class="p">,</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">padding_info</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="n">BCRYPT_OAEP_PADDING_INFO</span><span class="p">)</span><span class="nf">.cast</span><span class="p">(),</span> <span class="nn">ptr</span><span class="p">::</span><span class="nf">null_mut</span><span class="p">(),</span> <span class="mi">0</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">size</span><span class="p">,</span> <span class="n">NCRYPT_PAD_OAEP_FLAG</span><span class="p">,</span> <span class="p">)</span> <span class="p">};</span> <span class="k">if</span> <span class="n">status</span> <span class="o">!=</span> <span class="mi">0</span> <span class="p">{</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Failed to get the required output size"</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="n">status</span><span class="p">);</span> <span class="p">}</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">unwrapped_key</span> <span class="o">=</span> <span class="nd">vec!</span><span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="n">size</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">];</span> <span class="c1">// Unwrap the target key</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NCryptDecrypt</span><span class="p">(</span> <span class="k">self</span><span class="py">.hkey</span><span class="p">,</span> <span class="n">target_key</span><span class="nf">.as_ptr</span><span class="p">(),</span> <span class="n">target_key</span><span class="nf">.len</span><span class="p">()</span> <span class="k">as</span> <span class="nb">u32</span><span class="p">,</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">padding_info</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="n">BCRYPT_OAEP_PADDING_INFO</span><span class="p">)</span><span class="nf">.cast</span><span class="p">(),</span> <span class="n">unwrapped_key</span><span class="nf">.as_mut_ptr</span><span class="p">(),</span> <span class="n">size</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">size</span><span class="p">,</span> <span class="n">NCRYPT_PAD_OAEP_FLAG</span><span class="p">,</span> <span class="p">)</span> <span class="p">};</span> <span class="k">if</span> <span class="n">status</span> <span class="o">!=</span> <span class="mi">0</span> <span class="p">{</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Failed to unwrap the key"</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="n">status</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Truncate to the actual size</span> <span class="n">unwrapped_key</span><span class="nf">.truncate</span><span class="p">(</span><span class="n">size</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">unwrapped_key</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The retrieved provider and key handles need to be freed at the end.<br> In this implementation, the cleanup is handled in <code>Drop</code>.</p> <p>I also checked the RSA key length used by the TPM provider with <code>NCryptGetProperty()</code>.<br> In my environment, the default was 2048 bits, and the supported range was 1024 to 2048 bits.</p> <p>This may vary depending on the environment, so if you want to check it on your own system, see the <strong>Checking and Setting Key Properties</strong> section.</p> <p>Try running it in the main function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">key</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="mi">32</span><span class="p">];</span> <span class="nn">getrandom</span><span class="p">::</span><span class="nf">fill</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">key</span><span class="p">)</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Original key: {:?}"</span><span class="p">,</span> <span class="n">key</span><span class="p">);</span> <span class="k">let</span> <span class="n">key_wrapper</span> <span class="o">=</span> <span class="k">match</span> <span class="nn">KeyWrapper</span><span class="p">::</span><span class="nf">open</span><span class="p">(</span><span class="n">KEY_NAME</span><span class="p">)</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="n">s</span><span class="p">,</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Error code: {e}"</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="p">};</span> <span class="k">let</span> <span class="n">wrapped_key</span> <span class="o">=</span> <span class="k">match</span> <span class="n">key_wrapper</span><span class="nf">.wrap_key</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">k</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Wrapped key: {:?}"</span><span class="p">,</span> <span class="n">k</span><span class="p">);</span> <span class="n">k</span> <span class="p">}</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Error code: {e}"</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="p">};</span> <span class="k">match</span> <span class="n">key_wrapper</span><span class="nf">.unwrap_key</span><span class="p">(</span><span class="o">&amp;</span><span class="n">wrapped_key</span><span class="p">)</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">k</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Unwrapped key: {:?}"</span><span class="p">,</span> <span class="n">k</span><span class="p">),</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Error code: {e}"</span><span class="p">),</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>If you want to delete the key, you can add <code>delete_key()</code> to <code>KeyWrapper</code> and call it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">fn</span> <span class="nf">delete_key</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">TpmResult</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="c1">// Delete the key</span> <span class="nf">NCryptDeleteKey</span><span class="p">(</span><span class="k">self</span><span class="py">.hkey</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="p">};</span> <span class="k">if</span> <span class="n">status</span> <span class="o">!=</span> <span class="mi">0</span> <span class="p">{</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Failed to delete the key"</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="n">status</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// NCryptDeleteKey() automatically releases the key handle</span> <span class="k">self</span><span class="py">.hkey</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> </code></pre> </div> <h2> Error Codes </h2> <p>This is a list of the main error codes, their corresponding constants, and descriptions.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Code (i32)</th> <th>Code (hex)</th> <th>Name</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>0</td> <td>0x00000000</td> <td>ERROR_SUCCESS</td> <td>Operation succeeded</td> </tr> <tr> <td>-2146893802</td> <td>0x80090006</td> <td>NTE_BAD_KEYSET</td> <td>The key does not exist or is not registered with the TPM</td> </tr> <tr> <td>-2146893809</td> <td>0x8009000F</td> <td>NTE_EXISTS</td> <td>A key with the same name already exists</td> </tr> <tr> <td>-2146893786</td> <td>0x80090026</td> <td>NTE_INVALID_HANDLE</td> <td>The handle is invalid (provider or key)</td> </tr> <tr> <td>-2146893785</td> <td>0x80090027</td> <td>NTE_INVALID_PARAMETER</td> <td>One or more parameters are invalid</td> </tr> <tr> <td>-2146893810</td> <td>0x8009000E</td> <td>NTE_NO_MEMORY</td> <td>Not enough memory to complete the operation</td> </tr> <tr> <td>-2146893808</td> <td>0x80090010</td> <td>NTE_PERM</td> <td>Access denied or operation not permitted</td> </tr> <tr> <td>-2146893792</td> <td>0x80090020</td> <td>NTE_FAIL</td> <td>An internal error occurred</td> </tr> <tr> <td>-2146893783</td> <td>0x80090029</td> <td>NTE_NOT_SUPPORTED</td> <td>The algorithm or option is not supported</td> </tr> <tr> <td>-2146893815</td> <td>0x80090009</td> <td>NTE_BAD_FLAGS</td> <td>Invalid flags specified in dwFlags</td> </tr> <tr> <td>-2146893784</td> <td>0x80090028</td> <td>NTE_BUFFER_TOO_SMALL</td> <td>Output buffer is too small</td> </tr> <tr> <td>-2147479534</td> <td>0x80090032</td> <td>NTE_INVALID_STATE</td> <td>Object is in an invalid state (e.g. not finalized)</td> </tr> <tr> <td>-2146893816</td> <td>0x80090008</td> <td>NTE_BAD_ALGID</td> <td>Invalid algorithm identifier</td> </tr> <tr> <td>-2146893814</td> <td>0x8009000A</td> <td>NTE_BAD_TYPE</td> <td>The key or object type is invalid</td> </tr> </tbody> </table></div> <h2> Explanation </h2> <p>I referred to the official Microsoft documentation to choose the right functions and understand each parameter, and I used the <code>windows-sys</code> docs to check the parameter types.</p> <p><strong>References:</strong> </p> <ul> <li>Microsoft documentation for NCrypt → <a href="https://learn.microsoft.com/en-us/windows/win32/api/ncrypt/" rel="noopener noreferrer">ncrypt.h header</a> </li> <li>windows-sys documentation → <a href="https://docs.rs/windows-sys/latest/windows_sys/Win32/Security/Cryptography/index.html" rel="noopener noreferrer">Module Cryptography</a> </li> </ul> <p>In this section, I'll explain each function and parameter used in the implementation, based on these official documents.</p> <h3> 1. Open the TPM Provider </h3> <p>First, you need to open the provider using <code>NCryptOpenStorageProvider()</code>.</p> <p><em>Microsoft Documentation</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foliro7z1xbonicdkkuri.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foliro7z1xbonicdkkuri.png" alt=" " width="800" height="246"></a></p> <p><em>windows-sys Documentation</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjidejvq5kmzw6izln5bd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjidejvq5kmzw6izln5bd.png" alt=" " width="800" height="151"></a></p> <p>For <code>phprovider</code>, pass a variable (<code>&amp;mut usize</code>) to receive the provider handle.</p> <p>For <code>pszprovidername</code>, pass the alias of a key storage provider to load.<br> If you pass <code>std::ptr::null()</code>, the default key storage provider is loaded.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjso81x2v0mz8dhhkcxax.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjso81x2v0mz8dhhkcxax.png" alt=" " width="800" height="214"></a></p> <p>This implementation uses <code>MS_PLATFORM_CRYPTO_PROVIDER</code>, but if a TPM isn’t available, you can use <code>MS_KEY_STORAGE_PROVIDER</code> instead.</p> <p>The <code>dwflags</code> parameter is reserved, so it should always be set to <code>0</code> for now.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="k">mut</span> <span class="n">hprov</span><span class="p">:</span> <span class="n">NCRYPT_PROV_HANDLE</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NCryptOpenStorageProvider</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">hprov</span><span class="p">,</span> <span class="n">MS_PLATFORM_CRYPTO_PROVIDER</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="p">};</span> </code></pre> </div> <p><em>Some of the return codes</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxn8a9xwxf80dmtoe412k.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxn8a9xwxf80dmtoe412k.png" alt=" " width="800" height="190"></a></p> <p>If this function fails, do not use the provider handle in other functions.<br> It’s described in the Microsoft documentation:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2lctldn93u8ckgc7efnx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2lctldn93u8ckgc7efnx.png" alt=" " width="800" height="72"></a></p> <h3> 2. Create a Persistent Key (If It Doesn't Exist) </h3> <p><code>NCryptCreatePersistedKey()</code> can create a persistent key with a given name.</p> <p><em>Microsoft Documentation</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe9inpqdxa6acu8wucydg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe9inpqdxa6acu8wucydg.png" alt=" " width="800" height="295"></a></p> <p><em>windows-sys Documentation</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhvajmrq7qpv6snua0gfj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhvajmrq7qpv6snua0gfj.png" alt=" " width="800" height="209"></a></p> <p>For <code>phkey</code>, pass a variable (<code>&amp;mut usize</code>) to receive the key handle.</p> <p>For <code>pszalgid</code>, pass a null-terminated UTF-16 string that specifies the cryptographic algorithm.</p> <p>In most cases, you specify one of the <a href="https://learn.microsoft.com/en-us/windows/win32/SecCNG/cng-algorithm-identifiers" rel="noopener noreferrer">CNG Algorithm Identifiers</a>, but you can also specify algorithm identifiers that are registered independently by the provider.<br> This implementation uses <code>BCRYPT_RSA_ALGORITHM</code>.</p> <p>For <code>pszkeyname</code>, pass a pointer to a null-terminated UTF-16 string containing the key name.<br> If the parameter is set to <code>std::ptr::null()</code>, this function will create an ephemeral key that won't be stored.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">fn</span> <span class="nf">to_utf16</span><span class="p">(</span><span class="n">s</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">u16</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">utf16</span><span class="p">:</span> <span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">u16</span><span class="o">&gt;</span> <span class="o">=</span> <span class="nn">OsStr</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">s</span><span class="p">)</span><span class="nf">.encode_wide</span><span class="p">()</span><span class="nf">.collect</span><span class="p">();</span> <span class="n">utf16</span><span class="nf">.push</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="n">utf16</span> <span class="p">}</span> </code></pre> </div> <p><code>encode_wide()</code> converts an <code>&amp;OsStr</code> to UTF-16.<br> Since <code>pszkeyname</code> needs a null-terminated string, a trailing <code>0</code> is appended.</p> <p>For <code>dwlegacykeyspec</code>, pass a legacy identifier that specifies the key type.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fylbaob7f11x7nmpv7ls6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fylbaob7f11x7nmpv7ls6.png" alt=" " width="800" height="150"></a></p> <p>In typical <strong>CNG</strong> key creation, pass <code>0</code>, since the other values are for <strong>CryptoAPI(CAPI)/CSP</strong> compatibility.<br> If you set it to anything other than <code>0</code>, it may fail with an error (<code>NTE_NOT_SUPPORTED</code>).</p> <p>For <code>dwflags</code>, pass flags that modify the behavior of this function.<br> If no flags are needed, pass <code>0</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc9zttxy0jhdg7xxjzpyb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc9zttxy0jhdg7xxjzpyb.png" alt=" " width="800" height="376"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="k">mut</span> <span class="n">hkey</span><span class="p">:</span> <span class="n">NCRYPT_KEY_HANDLE</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="c1">// Create a persistent RSA key with the given name</span> <span class="nf">NCryptCreatePersistedKey</span><span class="p">(</span> <span class="n">hprov</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">hkey</span><span class="p">,</span> <span class="n">BCRYPT_RSA_ALGORITHM</span><span class="p">,</span> <span class="n">key_name</span><span class="nf">.as_ptr</span><span class="p">(),</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="p">)</span> <span class="p">};</span> </code></pre> </div> <p><em>Some of the return codes</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr4u49be8uihsy08zjg6k.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr4u49be8uihsy08zjg6k.png" alt=" " width="800" height="322"></a></p> <p>After creating the key, you can use <code>NCryptSetProperty()</code> to configure its properties.<br> Details about setting the key length are covered in the <strong>Checking and Setting Key Properties</strong> section.</p> <p>After creating the key, you need to call <code>NCryptFinalizeKey()</code> to use it.</p> <p><em>Microsoft Documentation</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnpf4i65c5brshwpawwgo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnpf4i65c5brshwpawwgo.png" alt=" " width="800" height="227"></a></p> <p><em>windows-sys Documentation</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fis3qnwlurgoy7jqhry0q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fis3qnwlurgoy7jqhry0q.png" alt=" " width="800" height="115"></a></p> <p>For <code>dwflags</code>, pass flags that modify the behavior of this function.<br> If no flags are needed, pass <code>0</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp51i7wt7p8r4e2zjgcjr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp51i7wt7p8r4e2zjgcjr.png" alt=" " width="800" height="233"></a></p> <p><code>NCRYPT_SILENT_FLAG</code> prevents the user interface from being displayed, but it is usually not needed for the TPM-based processing in this example.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NCryptFinalizeKey</span><span class="p">(</span><span class="n">hkey</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="p">};</span> </code></pre> </div> <p><em>Some of the return codes</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj7gloiif1ftav8oogjy5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj7gloiif1ftav8oogjy5.png" alt=" " width="800" height="152"></a></p> <h3> 3. Get a Key from the Provider </h3> <p>If the key already exists, you can retrieve it from the provider using <code>NCryptOpenKey()</code>.</p> <p><em>Microsoft Documentation</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flhgsneifwd2sk6u5rn19.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flhgsneifwd2sk6u5rn19.png" alt=" " width="800" height="270"></a></p> <p><em>windows-sys Documentation</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbz62mt055bk1tfsyotf0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbz62mt055bk1tfsyotf0.png" alt=" " width="800" height="184"></a></p> <p>These parameters are mostly the same as those of <code>NCryptCreatePersistedKey()</code>.</p> <p>For <code>dwflags</code>, pass flags that modify the behavior of this function.<br> If no flags are needed, pass <code>0</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr7hqffhkj3dsyihwt41g.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr7hqffhkj3dsyihwt41g.png" alt=" " width="800" height="226"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">fn</span> <span class="nf">retrieve_key</span><span class="p">(</span><span class="n">hprov</span><span class="p">:</span> <span class="n">NCRYPT_PROV_HANDLE</span><span class="p">,</span> <span class="n">key_name</span><span class="p">:</span> <span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">u16</span><span class="o">&gt;</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">TpmResult</span><span class="o">&lt;</span><span class="n">NCRYPT_KEY_HANDLE</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">hkey</span><span class="p">:</span> <span class="n">NCRYPT_KEY_HANDLE</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NCryptOpenKey</span><span class="p">(</span><span class="n">hprov</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">hkey</span><span class="p">,</span> <span class="n">key_name</span><span class="nf">.as_ptr</span><span class="p">(),</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="p">};</span> <span class="k">match</span> <span class="n">status</span> <span class="p">{</span> <span class="mi">0</span> <span class="k">=&gt;</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">hkey</span><span class="p">),</span> <span class="n">NTE_BAD_KEYSET</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="c1">// If no key with that name exists</span> <span class="nd">println!</span><span class="p">(</span><span class="s">""</span><span class="p">);</span> <span class="k">Self</span><span class="p">::</span><span class="nf">create_rsa_key</span><span class="p">(</span><span class="n">hprov</span><span class="p">,</span> <span class="n">key_name</span><span class="p">)</span> <span class="p">}</span> <span class="n">_</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Failed to retrieve the key"</span><span class="p">);</span> <span class="nf">Err</span><span class="p">(</span><span class="n">status</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>If no key with the specified name exists, <code>NCryptOpenKey()</code> returns <code>NTE_BAD_KEYSET</code>.</p> <p><em>Some of the return codes</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdnyx3pjd8vuni1efxf6r.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdnyx3pjd8vuni1efxf6r.png" alt=" " width="800" height="264"></a></p> <h3> 4. Get the Encrypted Data Size </h3> <p>You need to get the size of the encrypted data before encryption.<br> If you already know it, you can skip this step.</p> <p><em>Microsoft Documentation</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fejzt1x30ba8o3q2kazly.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fejzt1x30ba8o3q2kazly.png" alt=" " width="800" height="285"></a></p> <p><em>windows-sys Documentation</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frvr6ppr9ls44y4ka2698.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frvr6ppr9ls44y4ka2698.png" alt=" " width="800" height="215"></a></p> <p>For <code>pbinput</code>, pass a pointer to the buffer to encrypt.</p> <p>For <code>cdinput</code>, pass the size (in bytes) of the data (<code>pbinput</code>).</p> <p>For <code>ppaddinginfo</code>, pass a pointer to a <code>BCRYPT_OAEP_PADDING_INFO</code> struct that contains padding information.<br> If you don’t pass <code>NCRYPT_PAD_OAEP_FLAG</code> in <code>dwflags</code>, or if you’re using a symmetric key, pass <code>std::ptr::null()</code>.</p> <p>For <code>pboutput</code>, pass a pointer to the output buffer for the encrypted data.<br> If you only want to get the encrypted data size, pass <code>std::ptr::null_mut()</code>.</p> <p>For <code>cboutput</code>, pass the buffer size (<code>pboutput</code>).<br> If <code>pboutput</code> is <code>std::ptr::null_mut()</code>, this parameter is ignored.<br> However, in my test, passing a non-zero value caused an <code>NTE_INVALID_PARAMETER</code> error.</p> <p>For <code>pcbresult</code>, pass a variable (<code>&amp;mut u32</code>) that receives the output size for <code>pboutput</code>.<br> If <code>pboutput</code> is <code>std::ptr::null_mut()</code>, this parameter receives the required output size.</p> <p>For <code>dwflags</code>, pass a flag that modifies the behavior of this function.<br> The allowed flags depend on the key type specified by <code>hkey</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fex4hmdgubynx23gbx5ww.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fex4hmdgubynx23gbx5ww.png" alt=" " width="800" height="368"></a></p> <p><code>NCRYPT_PAD_OAEP_FLAG</code> is recommended for modern security.<br> When using this flag, you need to pass a pointer to a <code>BCRYPT_OAEP_PADDING_INFO</code> struct in <code>ppaddinginfo</code>.<br> For symmetric keys, pass <code>0</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="n">padding_info</span> <span class="o">=</span> <span class="k">Self</span><span class="p">::</span><span class="nf">create_padding_info</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">size</span><span class="p">:</span> <span class="nb">u32</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="c1">// Get the required output size if needed</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NCryptEncrypt</span><span class="p">(</span> <span class="k">self</span><span class="py">.hkey</span><span class="p">,</span> <span class="n">target_key</span><span class="nf">.as_ptr</span><span class="p">(),</span> <span class="n">target_key</span><span class="nf">.len</span><span class="p">()</span> <span class="k">as</span> <span class="nb">u32</span><span class="p">,</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">padding_info</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="n">BCRYPT_OAEP_PADDING_INFO</span><span class="p">)</span><span class="nf">.cast</span><span class="p">(),</span> <span class="nn">ptr</span><span class="p">::</span><span class="nf">null_mut</span><span class="p">(),</span> <span class="mi">0</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">size</span><span class="p">,</span> <span class="n">NCRYPT_PAD_OAEP_FLAG</span><span class="p">,</span> <span class="p">)</span> <span class="p">};</span> </code></pre> </div> <p><em>Some of the return codes</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb2dn5wqx910evpp9z0l5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb2dn5wqx910evpp9z0l5.png" alt=" " width="800" height="308"></a></p> <h4> BCRYPT_OAEP_PADDING_INFO </h4> <p><em>Microsoft Documentation</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz87p3078edpmzetcnqvu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz87p3078edpmzetcnqvu.png" alt=" " width="800" height="228"></a></p> <p><em>windows-sys Documentation</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F402t3997g64udc18qpdp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F402t3997g64udc18qpdp.png" alt=" " width="800" height="145"></a></p> <p>For <code>pszAlgId</code>, pass the hashing algorithm used to create the padding.<br> You can find the available hash algorithms in the <a href="https://learn.microsoft.com/en-us/windows/win32/SecCNG/cng-algorithm-identifiers" rel="noopener noreferrer">CNG Algorithm Identifiers</a>.</p> <p>For <code>pbLabel</code>, pass a pointer to a buffer that contains label data used for OAEP padding.<br> If you don't need it, pass <code>std::ptr::null_mut()</code>.</p> <p>For <code>cbLabel</code>, pass the size of the <code>pbLabel</code> buffer.<br> If <code>pbLabel</code> is <code>std::ptr::null_mut()</code>, pass <code>0</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">fn</span> <span class="nf">create_padding_info</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="n">BCRYPT_OAEP_PADDING_INFO</span> <span class="p">{</span> <span class="n">BCRYPT_OAEP_PADDING_INFO</span> <span class="p">{</span> <span class="n">pszAlgId</span><span class="p">:</span> <span class="n">BCRYPT_SHA256_ALGORITHM</span><span class="p">,</span> <span class="n">pbLabel</span><span class="p">:</span> <span class="nn">ptr</span><span class="p">::</span><span class="nf">null_mut</span><span class="p">(),</span> <span class="n">cbLabel</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This code uses <code>BCRYPT_SHA256_ALGORITHM</code> as the hash algorithm.</p> <h3> 5. Wrap the Key </h3> <p>Finally, wrap the key using <code>NCryptEncrypt()</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="k">mut</span> <span class="n">wrapped_key</span> <span class="o">=</span> <span class="nd">vec!</span><span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="n">size</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">];</span> <span class="c1">// Wrap the target key</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NCryptEncrypt</span><span class="p">(</span> <span class="k">self</span><span class="py">.hkey</span><span class="p">,</span> <span class="n">target_key</span><span class="nf">.as_ptr</span><span class="p">(),</span> <span class="n">target_key</span><span class="nf">.len</span><span class="p">()</span> <span class="k">as</span> <span class="nb">u32</span><span class="p">,</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">padding_info</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="n">BCRYPT_OAEP_PADDING_INFO</span><span class="p">)</span><span class="nf">.cast</span><span class="p">(),</span> <span class="n">wrapped_key</span><span class="nf">.as_mut_ptr</span><span class="p">(),</span> <span class="n">size</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">size</span><span class="p">,</span> <span class="n">NCRYPT_PAD_OAEP_FLAG</span><span class="p">,</span> <span class="p">)</span> <span class="p">};</span> </code></pre> </div> <p>To get the encrypted data, prepare a buffer with the required size, and pass a pointer to that buffer in <code>pboutput</code>.<br> If you queried the size with this function, allocate the buffer using the size stored in the variable you passed to <code>pcbresult</code>.</p> <p>See the previous section for an explanation of <code>NCryptEncrypt()</code>.</p> <p>Lastly, truncate the output buffer to the actual size written, as returned in <code>pcbresult</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="n">wrapped_key</span><span class="nf">.truncate</span><span class="p">(</span><span class="n">size</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">);</span> </code></pre> </div> <h3> Unwrap the Key </h3> <p>Decrypting the wrapped key is almost the same as encryption — just replace <code>NCryptEncrypt()</code> with <code>NCryptDecrypt()</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">fn</span> <span class="nf">unwrap_key</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">target_key</span><span class="p">:</span> <span class="o">&amp;</span><span class="p">[</span><span class="nb">u8</span><span class="p">])</span> <span class="k">-&gt;</span> <span class="n">TpmResult</span><span class="o">&lt;</span><span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">u8</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">padding_info</span> <span class="o">=</span> <span class="k">Self</span><span class="p">::</span><span class="nf">create_padding_info</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">size</span><span class="p">:</span> <span class="nb">u32</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="c1">// Get the required output size if needed</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NCryptDecrypt</span><span class="p">(</span> <span class="k">self</span><span class="py">.hkey</span><span class="p">,</span> <span class="n">target_key</span><span class="nf">.as_ptr</span><span class="p">(),</span> <span class="n">target_key</span><span class="nf">.len</span><span class="p">()</span> <span class="k">as</span> <span class="nb">u32</span><span class="p">,</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">padding_info</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="n">BCRYPT_OAEP_PADDING_INFO</span><span class="p">)</span><span class="nf">.cast</span><span class="p">(),</span> <span class="nn">ptr</span><span class="p">::</span><span class="nf">null_mut</span><span class="p">(),</span> <span class="mi">0</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">size</span><span class="p">,</span> <span class="n">NCRYPT_PAD_OAEP_FLAG</span><span class="p">,</span> <span class="p">)</span> <span class="p">};</span> <span class="k">if</span> <span class="n">status</span> <span class="o">!=</span> <span class="mi">0</span> <span class="p">{</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Failed to get the required output size"</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="n">status</span><span class="p">);</span> <span class="p">}</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">unwrapped_key</span> <span class="o">=</span> <span class="nd">vec!</span><span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="n">size</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">];</span> <span class="c1">// Unwrap the target key</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NCryptDecrypt</span><span class="p">(</span> <span class="k">self</span><span class="py">.hkey</span><span class="p">,</span> <span class="n">target_key</span><span class="nf">.as_ptr</span><span class="p">(),</span> <span class="n">target_key</span><span class="nf">.len</span><span class="p">()</span> <span class="k">as</span> <span class="nb">u32</span><span class="p">,</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">padding_info</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="n">BCRYPT_OAEP_PADDING_INFO</span><span class="p">)</span><span class="nf">.cast</span><span class="p">(),</span> <span class="n">unwrapped_key</span><span class="nf">.as_mut_ptr</span><span class="p">(),</span> <span class="n">size</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">size</span><span class="p">,</span> <span class="n">NCRYPT_PAD_OAEP_FLAG</span><span class="p">,</span> <span class="p">)</span> <span class="p">};</span> <span class="k">if</span> <span class="n">status</span> <span class="o">!=</span> <span class="mi">0</span> <span class="p">{</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Failed to unwrap the key"</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="n">status</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Truncate to the actual size</span> <span class="n">unwrapped_key</span><span class="nf">.truncate</span><span class="p">(</span><span class="n">size</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">unwrapped_key</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><em>Some of the return codes</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9dfi12ck7nbkgsw0orsi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9dfi12ck7nbkgsw0orsi.png" alt=" " width="800" height="285"></a></p> <h3> Checking and Setting Key Properties </h3> <p>To check an object's properties, use <code>NCryptGetProperty()</code>.</p> <p><em>Microsoft documentation</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmzqk1xu3yricgx8vqsnk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmzqk1xu3yricgx8vqsnk.png" width="800" height="303"></a></p> <p><em>windows-sys documentation</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj1pa7akgmf61209thlxe.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj1pa7akgmf61209thlxe.png" width="800" height="184"></a></p> <p>For <code>hobject</code>, pass the handle of the target object.<br> To retrieve key properties, pass a key handle.</p> <p>For <code>pszproperty</code>, pass the property identifier you want to retrieve.<br> You can find a list of identifiers in <a href="https://learn.microsoft.com/en-us/windows/win32/SecCNG/key-storage-property-identifiers" rel="noopener noreferrer">Key Storage Property Identifiers</a>.<br> If you want to check supported key lengths, the default length, and related values, pass <code>NCRYPT_LENGTHS_PROPERTY</code>.</p> <p>For <code>pboutput</code>, pass a pointer to the buffer that receives the property value.<br> If you only want to get the required buffer size, pass <code>std::ptr::null_mut()</code>.</p> <p>For <code>cboutput</code>, pass the size of the output buffer (<code>pboutput</code>) in bytes.<br> If <code>pboutput</code> is <code>std::ptr::null_mut()</code>, pass <code>0</code>.</p> <p>For <code>pcbresult</code>, pass a pointer to a variable (<code>&amp;mut u32</code>) that receives either the number of bytes actually written or the required buffer size.</p> <p>For <code>dwflags</code>, pass flags that modify the behavior of this function.<br> If no flags are needed, pass <code>0</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flvbtq8te50ub3jxmb3p1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flvbtq8te50ub3jxmb3p1.png" alt=" " width="800" height="273"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">fn</span> <span class="nf">check_key_lengths</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">TpmResult</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">supported_lengths</span> <span class="o">=</span> <span class="n">NCRYPT_SUPPORTED_LENGTHS</span> <span class="p">{</span> <span class="n">dwMinLength</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="n">dwMaxLength</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="n">dwIncrement</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="n">dwDefaultLength</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="p">};</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">size</span><span class="p">:</span> <span class="nb">u32</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NCryptGetProperty</span><span class="p">(</span> <span class="k">self</span><span class="py">.hkey</span><span class="p">,</span> <span class="n">NCRYPT_LENGTHS_PROPERTY</span><span class="p">,</span> <span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">supported_lengths</span> <span class="k">as</span> <span class="o">*</span><span class="k">mut</span> <span class="n">NCRYPT_SUPPORTED_LENGTHS</span><span class="p">)</span><span class="nf">.cast</span><span class="p">(),</span> <span class="nn">size_of</span><span class="p">::</span><span class="o">&lt;</span><span class="n">NCRYPT_SUPPORTED_LENGTHS</span><span class="o">&gt;</span><span class="p">()</span> <span class="k">as</span> <span class="nb">u32</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">size</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="p">)</span> <span class="p">};</span> <span class="k">if</span> <span class="n">status</span> <span class="o">!=</span> <span class="mi">0</span> <span class="p">{</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Failed to retrieve the key property"</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="n">status</span><span class="p">);</span> <span class="p">}</span> <span class="nd">println!</span><span class="p">(</span> <span class="s">"Default length: {} bits, Supported range: {} to {} bits"</span><span class="p">,</span> <span class="n">supported_lengths</span><span class="py">.dwDefaultLength</span><span class="p">,</span> <span class="n">supported_lengths</span><span class="py">.dwMinLength</span><span class="p">,</span> <span class="n">supported_lengths</span><span class="py">.dwMaxLength</span><span class="p">,</span> <span class="p">);</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> </code></pre> </div> <p>To retrieve the current key length, specify <code>NCRYPT_LENGTH_PROPERTY</code> as the property identifier.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">fn</span> <span class="nf">check_current_key_length</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">TpmResult</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">cur_key_length</span><span class="p">:</span> <span class="nb">u32</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">size</span><span class="p">:</span> <span class="nb">u32</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NCryptGetProperty</span><span class="p">(</span> <span class="k">self</span><span class="py">.hkey</span><span class="p">,</span> <span class="n">NCRYPT_LENGTH_PROPERTY</span><span class="p">,</span> <span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">cur_key_length</span> <span class="k">as</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">u32</span><span class="p">)</span><span class="nf">.cast</span><span class="p">(),</span> <span class="nn">size_of</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">u32</span><span class="o">&gt;</span><span class="p">()</span> <span class="k">as</span> <span class="nb">u32</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">size</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="p">)</span> <span class="p">};</span> <span class="k">if</span> <span class="n">status</span> <span class="o">!=</span> <span class="mi">0</span> <span class="p">{</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Failed to retrieve the key property"</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="n">status</span><span class="p">);</span> <span class="p">}</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Current key length: {cur_key_length} bits"</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> </code></pre> </div> <p><em>Some of the return codes</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fphoiottfh3o8iv6ru79b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fphoiottfh3o8iv6ru79b.png" alt=" " width="800" height="301"></a></p> <p>To set an object's properties, use <code>NCryptSetProperty()</code>.<br> For a newly created key, the property must be set before calling <code>NCryptFinalizeKey()</code>.</p> <p><em>Microsoft documentation</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4npwfj26fzu8liyarmuf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4npwfj26fzu8liyarmuf.png" width="800" height="275"></a></p> <p><em>windows-sys documentation</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9sq9u8l7mwvf0j8ylq41.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9sq9u8l7mwvf0j8ylq41.png" width="800" height="158"></a></p> <p>For <code>pszproperty</code>, pass the property identifier you want to set.<br> If you want to set the key length, pass <code>NCRYPT_LENGTH_PROPERTY</code>.</p> <p>For <code>pbinput</code>, pass a pointer to a buffer that contains the new property value.</p> <p>For <code>cbinput</code>, pass the size of the buffer passed to <code>pbinput</code> in bytes.</p> <p>For <code>dwflags</code>, pass flags that modify the behavior of this function.<br> If no flags are needed, pass <code>0</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fypxo7ayfkt7raihmjuqn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fypxo7ayfkt7raihmjuqn.png" alt=" " width="800" height="409"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">fn</span> <span class="nf">set_key_length</span><span class="p">(</span><span class="n">hkey</span><span class="p">:</span> <span class="n">NCRYPT_KEY_HANDLE</span><span class="p">,</span> <span class="n">length</span><span class="p">:</span> <span class="nb">u32</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">TpmResult</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NCryptSetProperty</span><span class="p">(</span> <span class="n">hkey</span><span class="p">,</span> <span class="n">NCRYPT_LENGTH_PROPERTY</span><span class="p">,</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">length</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="nb">u32</span><span class="p">)</span><span class="nf">.cast</span><span class="p">(),</span> <span class="nn">size_of</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">u32</span><span class="o">&gt;</span><span class="p">()</span> <span class="k">as</span> <span class="nb">u32</span><span class="p">,</span> <span class="n">NCRYPT_PERSIST_FLAG</span><span class="p">,</span> <span class="p">)</span> <span class="p">};</span> <span class="k">if</span> <span class="n">status</span> <span class="o">!=</span> <span class="mi">0</span> <span class="p">{</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Failed to set the key property"</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="n">status</span><span class="p">);</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> </code></pre> </div> <p><em>Some of the return codes</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fihr111t0ujs1n2gkbbx8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fihr111t0ujs1n2gkbbx8.png" alt=" " width="800" height="301"></a></p> <h3> Delete Registered Key </h3> <p>You can delete the registered key using <code>NCryptDeleteKey()</code>.</p> <p><em>Microsoft Documentation</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdy3ud89f2450wcuj7d6l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdy3ud89f2450wcuj7d6l.png" alt=" " width="800" height="176"></a></p> <p><em>windows-sys Documentation</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh1gmcxfwvkyfcpmmgvfz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh1gmcxfwvkyfcpmmgvfz.png" alt=" " width="800" height="102"></a></p> <p>For <code>dwflags</code>, pass a flag that modifies the behavior of this function.<br> The only supported value is <code>NCRYPT_SILENT_FLAG</code>.<br> If no flags are needed, pass <code>0</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="c1">// Delete the key</span> <span class="nf">NCryptDeleteKey</span><span class="p">(</span><span class="k">self</span><span class="py">.hkey</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="p">};</span> </code></pre> </div> <p>If this function succeeds, the key handle is freed automatically.<br> It’s described in the Microsoft documentation:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkgs182aegw6mz62fhfjd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkgs182aegw6mz62fhfjd.png" alt=" " width="800" height="135"></a></p> <p><em>Some of the return codes</em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo2xmw9h269bzrczv61t7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo2xmw9h269bzrczv61t7.png" alt=" " width="800" height="152"></a></p> <h2> Final Thoughts </h2> <p>At first, since I didn’t know much about C++, I struggled to read the function signatures.<br> But through this implementation, I came to understand them better, and I learned how TPM works.</p> <p>Thanks for reading!</p> rust security api Dynamically Switch Between Values and Functions — Without if Statements tsuruko Thu, 28 Aug 2025 13:01:21 +0000 https://dev.to/tsuruko12/dynamically-switch-between-values-and-functions-without-if-statements-7m9 https://dev.to/tsuruko12/dynamically-switch-between-values-and-functions-without-if-statements-7m9 <p>Python library <code>triggon</code> can dynamically switch values and functions, and it helps clean up your code by reducing the need for <code>if</code> statements.<br><br> I'm going to introduce its features with two simple examples.</p> <h1> ➀ Switch between values and functions </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">random</span> <span class="kn">from</span> <span class="n">triggon</span> <span class="kn">import</span> <span class="n">Triggon</span><span class="p">,</span> <span class="n">TrigFunc</span> <span class="n">F</span> <span class="o">=</span> <span class="nc">TrigFunc</span><span class="p">()</span> <span class="c1"># Wrapper for delayed execution </span><span class="n">tg</span> <span class="o">=</span> <span class="nc">Triggon</span><span class="p">(</span><span class="sh">"</span><span class="s">num</span><span class="sh">"</span><span class="p">,</span> <span class="n">new</span><span class="o">=</span><span class="n">F</span><span class="p">.</span><span class="n">random</span><span class="p">.</span><span class="nf">randint</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">100</span><span class="p">))</span> <span class="k">def</span> <span class="nf">func</span><span class="p">():</span> <span class="c1"># If 'num' is active, switch the value from 0 to random.randint(1, 100) </span> <span class="n">num</span> <span class="o">=</span> <span class="n">tg</span><span class="p">.</span><span class="nf">switch_lit</span><span class="p">(</span><span class="sh">"</span><span class="s">num</span><span class="sh">"</span><span class="p">,</span> <span class="n">org</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">num</span><span class="p">)</span> <span class="nf">func</span><span class="p">()</span> <span class="n">tg</span><span class="p">.</span><span class="nf">set_trigger</span><span class="p">(</span><span class="sh">"</span><span class="s">num</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Activate the "num" label </span><span class="nf">func</span><span class="p">()</span> <span class="n">tg</span><span class="p">.</span><span class="nf">revert</span><span class="p">(</span><span class="sh">"</span><span class="s">num</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Switch to the original value </span><span class="nf">func</span><span class="p">()</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># == Output == 0 79 (random number between 1 and 100) 0 </code></pre> </div> <p><code>switch_lit()</code> automatically executes the function if it is delayed with <code>TrigFunc</code>.<br><br> <code>TrigFunc</code> works by simply creating an instance and wrapping the target function, just like a normal function call.</p> <h1> ➁ Switch to multiple index values for a single variable </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">F</span> <span class="o">=</span> <span class="nc">TrigFunc</span><span class="p">()</span> <span class="c1"># "nums" holds the values of (index 0, index 1, index 2, index 3) </span><span class="n">tg</span> <span class="o">=</span> <span class="nc">Triggon</span><span class="p">(</span><span class="sh">"</span><span class="s">nums</span><span class="sh">"</span><span class="p">,</span> <span class="n">new</span><span class="o">=</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="n">F</span><span class="p">.</span><span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Next it</span><span class="sh">'</span><span class="s">ll be 0!</span><span class="sh">"</span><span class="p">)))</span> <span class="n">x</span> <span class="o">=</span> <span class="mi">0</span> <span class="nf">print</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="n">tg</span><span class="p">.</span><span class="nf">set_trigger</span><span class="p">(</span><span class="sh">"</span><span class="s">nums</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Activate "nums" label </span> <span class="n">tg</span><span class="p">.</span><span class="nf">switch_var</span><span class="p">(</span><span class="sh">"</span><span class="s">nums</span><span class="sh">"</span><span class="p">,</span> <span class="n">x</span><span class="p">)</span> <span class="c1"># Switch to index 0 </span><span class="nf">print</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="n">tg</span><span class="p">.</span><span class="nf">switch_var</span><span class="p">(</span><span class="sh">"</span><span class="s">nums</span><span class="sh">"</span><span class="p">,</span> <span class="n">x</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># Switch to index 1 </span><span class="nf">print</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="n">tg</span><span class="p">.</span><span class="nf">switch_var</span><span class="p">(</span><span class="sh">"</span><span class="s">nums</span><span class="sh">"</span><span class="p">,</span> <span class="n">x</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="mi">2</span><span class="p">)</span> <span class="c1"># Switch to index 2 </span><span class="nf">print</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="c1"># If the value is a delayed function with TrigFunc, # it will also execute automatically. </span><span class="n">tg</span><span class="p">.</span><span class="nf">switch_var</span><span class="p">(</span><span class="sh">"</span><span class="s">nums</span><span class="sh">"</span><span class="p">,</span> <span class="n">x</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="mi">3</span><span class="p">)</span> <span class="c1"># Switch to index 3 </span> <span class="n">tg</span><span class="p">.</span><span class="nf">revert</span><span class="p">(</span><span class="sh">"</span><span class="s">nums</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Switch to the original value of x </span><span class="nf">print</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># == Output == 0 1 2 3 Next it'll be 0! 0 </code></pre> </div> <p><code>revert()</code> can restore the original value even if it's switched multiple times. </p> <p>Those examples use one label but you can define any number of labels!</p> <h1> About triggon </h1> <p><strong><code>triggon</code> has been officially released with 2 new functions and over 15 features added!</strong></p> <p>And it supports the following features:</p> <ul> <li>Dynamically switch values and functions</li> <li>Call functions and return early at any time</li> <li>Optionally return a value with an early return </li> <li>Delay the execution of almost any function</li> </ul> <p>This library is for reducing if statements in your code!<br> If you’re interested, give it a try! </p> <p>🔗 <a href="https://pypi.org/project/triggon" rel="noopener noreferrer">PyPI</a></p> <p>I also post about the development and my learning logs on X.<br><br> Feel free to follow me!</p> python opensource triggon library Cleaner logic: triggon vs if-statements tsuruko Thu, 17 Jul 2025 15:05:25 +0000 https://dev.to/tsuruko12/cleaner-logic-triggon-vs-if-statements-1lil https://dev.to/tsuruko12/cleaner-logic-triggon-vs-if-statements-1lil <p>I compared code using my library <code>triggon</code> with traditional <code>if</code> statements.</p> <h1> First Example 👇 </h1> <p>This shows a situation where you want to change a message depending on the arguments.</p> <p>Traditional <code>if</code> version:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">sample</span><span class="p">(</span><span class="n">y</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="n">x</span> <span class="o">=</span> <span class="mi">7</span> <span class="k">if</span> <span class="n">x</span> <span class="o">&gt;</span> <span class="n">y</span><span class="p">:</span> <span class="n">fmt</span> <span class="o">=</span> <span class="sh">"</span><span class="s">greater than</span><span class="sh">"</span> <span class="k">elif</span> <span class="n">x</span> <span class="o">==</span> <span class="n">y</span><span class="p">:</span> <span class="n">fmt</span> <span class="o">=</span> <span class="sh">"</span><span class="s">equal to</span><span class="sh">"</span> <span class="k">else</span><span class="p">:</span> <span class="n">fmt</span> <span class="o">=</span> <span class="sh">"</span><span class="s">smaller than</span><span class="sh">"</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">x is </span><span class="si">{</span><span class="n">fmt</span><span class="si">}</span><span class="s"> y.</span><span class="sh">"</span><span class="p">)</span> <span class="nf">sample</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span> <span class="c1"># Output: x is smaller than y. </span><span class="nf">sample</span><span class="p">(</span><span class="mi">7</span><span class="p">)</span> <span class="c1"># Output: x is equal to y. </span><span class="nf">sample</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="c1"># Output: x is greater than y. </span></code></pre> </div> <p>With <code>triggon</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">tg</span> <span class="o">=</span> <span class="nc">Triggon</span><span class="p">({</span><span class="sh">"</span><span class="s">A</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">greater than</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">B</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">equal to</span><span class="sh">"</span><span class="p">})</span> <span class="k">def</span> <span class="nf">sample</span><span class="p">(</span><span class="n">y</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="n">x</span> <span class="o">=</span> <span class="mi">7</span> <span class="n">tg</span><span class="p">.</span><span class="nf">set_trigger</span><span class="p">(</span><span class="sh">"</span><span class="s">A</span><span class="sh">"</span><span class="p">,</span> <span class="n">cond</span><span class="o">=</span><span class="sh">"</span><span class="s">x &gt; y</span><span class="sh">"</span><span class="p">)</span> <span class="n">tg</span><span class="p">.</span><span class="nf">set_trigger</span><span class="p">(</span><span class="sh">"</span><span class="s">B</span><span class="sh">"</span><span class="p">,</span> <span class="n">cond</span><span class="o">=</span><span class="sh">"</span><span class="s">x == y</span><span class="sh">"</span><span class="p">)</span> <span class="n">fmt</span> <span class="o">=</span> <span class="n">tg</span><span class="p">.</span><span class="nf">switch_lit</span><span class="p">([</span><span class="sh">"</span><span class="s">A</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">B</span><span class="sh">"</span><span class="p">],</span> <span class="n">org</span><span class="o">=</span><span class="sh">"</span><span class="s">smaller than</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">x is </span><span class="si">{</span><span class="n">fmt</span><span class="si">}</span><span class="s"> y.</span><span class="sh">"</span><span class="p">)</span> <span class="nf">sample</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span> <span class="c1"># Output: x is smaller than y. </span><span class="nf">sample</span><span class="p">(</span><span class="mi">7</span><span class="p">)</span> <span class="c1"># Output: x is equal to y. </span><span class="nf">sample</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="c1"># Output: x is greater than y. </span></code></pre> </div> <p>The only change is one line,<br> but it <strong>removes three lines inside the function</strong>!</p> <h1> Second Example 👇 </h1> <p>This shows a situation where you want to delete user data and later recover it.</p> <p>Traditional <code>if</code> version:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># (This `if` version was auto-written by AI) </span> <span class="nd">@dataclass</span> <span class="k">class</span> <span class="nc">User</span><span class="p">:</span> <span class="n">name</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">John</span><span class="sh">"</span> <span class="n">age</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">25</span> <span class="n">_original_name</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">_original_age</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">_reverted</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">=</span> <span class="bp">False</span> <span class="k">def</span> <span class="nf">apply_deletion</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">delete</span><span class="p">:</span> <span class="nb">bool</span><span class="p">):</span> <span class="k">if</span> <span class="n">delete</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">self</span><span class="p">.</span><span class="n">_reverted</span><span class="p">:</span> <span class="c1"># Save original values if not already saved </span> <span class="n">self</span><span class="p">.</span><span class="n">_original_name</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">name</span> <span class="n">self</span><span class="p">.</span><span class="n">_original_age</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">age</span> <span class="n">self</span><span class="p">.</span><span class="n">name</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">self</span><span class="p">.</span><span class="n">age</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">elif</span> <span class="ow">not</span> <span class="n">delete</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">self</span><span class="p">.</span><span class="n">_reverted</span><span class="p">:</span> <span class="c1"># Do nothing if restore not requested yet </span> <span class="k">pass</span> <span class="k">elif</span> <span class="n">delete</span> <span class="ow">and</span> <span class="n">self</span><span class="p">.</span><span class="n">_reverted</span><span class="p">:</span> <span class="c1"># Skip change if values have been reverted </span> <span class="k">pass</span> <span class="k">def</span> <span class="nf">revert</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">_original_name</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span> <span class="ow">and</span> <span class="n">self</span><span class="p">.</span><span class="n">_original_age</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">name</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">_original_name</span> <span class="n">self</span><span class="p">.</span><span class="n">age</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">_original_age</span> <span class="n">self</span><span class="p">.</span><span class="n">_reverted</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">user</span> <span class="o">=</span> <span class="nc">User</span><span class="p">()</span> <span class="n">user</span><span class="p">.</span><span class="nf">apply_deletion</span><span class="p">(</span><span class="bp">False</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">user name: </span><span class="si">{</span><span class="n">user</span><span class="p">.</span><span class="n">name</span><span class="si">}</span><span class="s">, age: </span><span class="si">{</span><span class="n">user</span><span class="p">.</span><span class="n">age</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Output: user name: John, age: 25 </span> <span class="n">user</span><span class="p">.</span><span class="nf">apply_deletion</span><span class="p">(</span><span class="bp">True</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">user name: </span><span class="si">{</span><span class="n">user</span><span class="p">.</span><span class="n">name</span><span class="si">}</span><span class="s">, age: </span><span class="si">{</span><span class="n">user</span><span class="p">.</span><span class="n">age</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Output: user name: None, age: None </span> <span class="n">user</span><span class="p">.</span><span class="nf">revert</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">user name: </span><span class="si">{</span><span class="n">user</span><span class="p">.</span><span class="n">name</span><span class="si">}</span><span class="s">, age: </span><span class="si">{</span><span class="n">user</span><span class="p">.</span><span class="n">age</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Output: user name: John, age: 25 </span> <span class="n">user</span><span class="p">.</span><span class="nf">apply_deletion</span><span class="p">(</span><span class="bp">True</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">user name: </span><span class="si">{</span><span class="n">user</span><span class="p">.</span><span class="n">name</span><span class="si">}</span><span class="s">, age: </span><span class="si">{</span><span class="n">user</span><span class="p">.</span><span class="n">age</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Output: user name: John, age: 25 </span></code></pre> </div> <p>That’s a bit too long…</p> <p>With <code>triggon</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">tg</span> <span class="o">=</span> <span class="nc">Triggon</span><span class="p">(</span><span class="sh">"</span><span class="s">del</span><span class="sh">"</span><span class="p">,</span> <span class="bp">None</span><span class="p">)</span> <span class="nd">@dataclass</span> <span class="k">class</span> <span class="nc">User</span><span class="p">:</span> <span class="n">name</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">John</span><span class="sh">"</span> <span class="n">age</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">25</span> <span class="k">def</span> <span class="nf">apply_deletion</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">delete</span><span class="p">:</span> <span class="nb">bool</span><span class="p">):</span> <span class="n">tg</span><span class="p">.</span><span class="nf">switch_var</span><span class="p">(</span><span class="sh">"</span><span class="s">del</span><span class="sh">"</span><span class="p">,</span> <span class="p">[</span><span class="n">self</span><span class="p">.</span><span class="n">name</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">age</span><span class="p">])</span> <span class="n">tg</span><span class="p">.</span><span class="nf">set_trigger</span><span class="p">(</span><span class="sh">"</span><span class="s">del</span><span class="sh">"</span><span class="p">,</span> <span class="n">cond</span><span class="o">=</span><span class="sh">"</span><span class="s">delete</span><span class="sh">"</span><span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="nc">User</span><span class="p">()</span> <span class="n">user</span><span class="p">.</span><span class="nf">apply_deletion</span><span class="p">(</span><span class="bp">False</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">user name: </span><span class="si">{</span><span class="n">user</span><span class="p">.</span><span class="n">name</span><span class="si">}</span><span class="s">, age: </span><span class="si">{</span><span class="n">user</span><span class="p">.</span><span class="n">age</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Output: user name: John, age: 25 </span> <span class="n">user</span><span class="p">.</span><span class="nf">apply_deletion</span><span class="p">(</span><span class="bp">True</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">user name: </span><span class="si">{</span><span class="n">user</span><span class="p">.</span><span class="n">name</span><span class="si">}</span><span class="s">, age: </span><span class="si">{</span><span class="n">user</span><span class="p">.</span><span class="n">age</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Output: user name: None, age: None </span> <span class="c1"># Permanently revert the values </span><span class="n">tg</span><span class="p">.</span><span class="nf">revert</span><span class="p">(</span><span class="sh">"</span><span class="s">del</span><span class="sh">"</span><span class="p">,</span> <span class="n">disable</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">user name: </span><span class="si">{</span><span class="n">user</span><span class="p">.</span><span class="n">name</span><span class="si">}</span><span class="s">, age: </span><span class="si">{</span><span class="n">user</span><span class="p">.</span><span class="n">age</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Output: user name: John, age: 25 </span> <span class="n">user</span><span class="p">.</span><span class="nf">apply_deletion</span><span class="p">(</span><span class="bp">True</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">user name: </span><span class="si">{</span><span class="n">user</span><span class="p">.</span><span class="n">name</span><span class="si">}</span><span class="s">, age: </span><span class="si">{</span><span class="n">user</span><span class="p">.</span><span class="n">age</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Output: user name: John, age: 25 </span></code></pre> </div> <p>It <strong>reduces the code to less than half</strong> compared to the <code>if</code> version!</p> <p><code>if</code> statements are fine for simple logic,<br> but for more complex cases—like storing original values, performing multiple toggles, or restoring state—<code>triggon</code> really shines!</p> <p>I just released <code>v0.1.0b3</code> of my library <code>triggon</code> today.<br> But some bugs have already been found...<br> I'll be fixing them in the next update soon!</p> <p>You can check out the README here: <a href="https://github.com/tsuruko12/triggon/blob/main/README.md" rel="noopener noreferrer">README</a></p> python opensource library triggon Smarter Conditions, Still No Ifs—Triggon Just Got Better tsuruko Sun, 13 Jul 2025 16:00:07 +0000 https://dev.to/tsuruko12/python-smarter-conditions-still-no-ifs-triggon-just-got-better-3o2h https://dev.to/tsuruko12/python-smarter-conditions-still-no-ifs-triggon-just-got-better-3o2h <p>In this post, I’d like to share one of the <del>3</del> 5 <strong>new features planned for the next update</strong>.</p> <p><code>triggon</code> allows you to switch values or behavior automatically when a trigger point is activated based on labels.<br> With the upcoming update, you'll be able to pass <strong>conditional expressions</strong> to control when those triggers are activated, giving you more control and flexibility.</p> <h1> Example (Planned) </h1> <p>(Excerpt from the README)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">tg</span> <span class="o">=</span> <span class="nc">Triggon</span><span class="p">(</span><span class="sh">"</span><span class="s">A</span><span class="sh">"</span><span class="p">,</span> <span class="bp">True</span><span class="p">)</span> <span class="k">def</span> <span class="nf">example</span><span class="p">(</span><span class="n">num</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="c1"># If the condition "num == 0" is True, the trigger will activate </span> <span class="n">tg</span><span class="p">.</span><span class="nf">set_trigger</span><span class="p">(</span><span class="sh">"</span><span class="s">A</span><span class="sh">"</span><span class="p">,</span> <span class="n">cond</span><span class="o">=</span><span class="sh">"</span><span class="s">num == 0</span><span class="sh">"</span><span class="p">)</span> <span class="n">flag</span> <span class="o">=</span> <span class="n">tg</span><span class="p">.</span><span class="nf">alter_literal</span><span class="p">(</span><span class="sh">"</span><span class="s">A</span><span class="sh">"</span><span class="p">,</span> <span class="bp">False</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">flag</span><span class="p">)</span> <span class="nf">example</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span> <span class="c1"># Output: False </span><span class="nf">example</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="c1"># Output: True </span></code></pre> </div> <p>By setting a condition in the keyword argument <code>cond</code>, the trigger will only activate when the condition evaluates to <code>True</code>.<br> <strong>Note:</strong> Control structures like <code>if x == 5:</code> are not supported—only simple comparison expressions are allowed."</p> <p>Internally, it uses <code>ast</code> along with <code>eval()</code>, but it’s designed with safety in mind—<strong>any non-comparison expressions will raise an error</strong>.</p> <p>You can find the other two features in the README, along with sample code: <br> <a href="https://github.com/tsuruko12/triggon/blob/main/README.md" rel="noopener noreferrer">README</a></p> <p><strong>The next update (v0.1.0b3) is scheduled for next week</strong>,<br> but the source code is already available on GitHub—feel free to check it out if you're interested!</p> python opensource library triggon Switch Values and Logic—No Ifs, Just a Python Library tsuruko Wed, 09 Jul 2025 15:53:15 +0000 https://dev.to/tsuruko12/switch-values-and-logic-no-ifs-just-a-python-library-2opk https://dev.to/tsuruko12/switch-values-and-logic-no-ifs-just-a-python-library-2opk <p>I recently released my first Python library as a beta version.<br> In this post, I’ll give a quick overview of what the library does.</p> <h1> About the Library </h1> <p>Library name: <code>triggon</code></p> <p>Install with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>triggon </code></pre> </div> <p>This library lets you automatically switch behavior—such as changing variable values, performing early returns, or calling functions—based on pre-defined labels, without writing any if-statements.</p> <p><strong>Key features:</strong></p> <ul> <li>Auto-switching literal or variable values</li> <li>Early return handling based on flags</li> <li>Dynamically execute functions</li> </ul> <h1> Sample Code Overview </h1> <p>Here are 3 simple examples that demonstrate how it works:</p> <h2> ➀ Auto-switching a single value </h2> <p>Switch the greeting only if a specific function is called:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">triggon</span> <span class="kn">import</span> <span class="n">Triggon</span> <span class="n">tg</span> <span class="o">=</span> <span class="nc">Triggon</span><span class="p">(</span><span class="sh">"</span><span class="s">msg</span><span class="sh">"</span><span class="p">,</span> <span class="n">new</span><span class="o">=</span><span class="sh">"</span><span class="s">Good night</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Set the label and its new value </span> <span class="k">def</span> <span class="nf">switch_msg</span><span class="p">():</span> <span class="n">tg</span><span class="p">.</span><span class="nf">set_trigger</span><span class="p">(</span><span class="sh">"</span><span class="s">msg</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Activate the trigger for 'msg' </span> <span class="nf">greet</span><span class="p">()</span> <span class="k">def</span> <span class="nf">greet</span><span class="p">():</span> <span class="c1"># Set the original value for the label </span> <span class="n">x</span> <span class="o">=</span> <span class="n">tg</span><span class="p">.</span><span class="nf">alter_literal</span><span class="p">(</span><span class="sh">"</span><span class="s">msg</span><span class="sh">"</span><span class="p">,</span> <span class="n">org</span><span class="o">=</span><span class="sh">"</span><span class="s">Good morning</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="c1"># First call </span><span class="nf">greet</span><span class="p">()</span> <span class="c1"># Second call </span><span class="nf">switch_msg</span><span class="p">()</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># First output Good morning # Second output Good night </code></pre> </div> <h2> ➁ Switching multiple values assigned to a single label </h2> <p>You can assign multiple values to a single label, using index-based control.<br> You can also bind multiple values to the same index.</p> <p>(Excerpt from the README)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">random</span> <span class="kn">from</span> <span class="n">triggon</span> <span class="kn">import</span> <span class="n">Triggon</span> <span class="c1"># Set two values (index 0 and 1) for each label </span><span class="n">tg</span> <span class="o">=</span> <span class="nc">Triggon</span><span class="p">({</span> <span class="sh">"</span><span class="s">level_1</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">Normal</span><span class="sh">"</span><span class="p">,</span> <span class="mi">80</span><span class="p">],</span> <span class="sh">"</span><span class="s">level_2</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">Rare</span><span class="sh">"</span><span class="p">,</span> <span class="mi">100</span><span class="p">],</span> <span class="sh">"</span><span class="s">level_3</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">Legendary</span><span class="sh">"</span><span class="p">,</span> <span class="mi">150</span><span class="p">],</span> <span class="p">})</span> <span class="n">level</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">attack</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">def</span> <span class="nf">spin_gacha</span><span class="p">():</span> <span class="n">items</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">level_1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">level_2</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">level_3</span><span class="sh">"</span><span class="p">]</span> <span class="n">result</span> <span class="o">=</span> <span class="n">random</span><span class="p">.</span><span class="nf">choice</span><span class="p">(</span><span class="n">items</span><span class="p">)</span> <span class="n">tg</span><span class="p">.</span><span class="nf">set_trigger</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> <span class="c1"># Activate the trigger based on result </span> <span class="n">tg</span><span class="p">.</span><span class="nf">alter_var</span><span class="p">(</span><span class="n">result</span><span class="p">,</span> <span class="n">level</span><span class="p">)</span> <span class="c1"># Index 0 </span> <span class="n">tg</span><span class="p">.</span><span class="nf">alter_var</span><span class="p">(</span><span class="n">result</span><span class="p">,</span> <span class="n">attack</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># Index 1 </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">You got a </span><span class="si">{</span><span class="n">level</span><span class="si">}</span><span class="s"> sword!</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Attack power: </span><span class="si">{</span><span class="n">attack</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">spin_gacha</span><span class="p">()</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Output (if result is 'level_2') You got a Rare sword! Attack power: 100 </code></pre> </div> <p>You can also use a <code>*</code> prefix in labels to indicate the index position <br> (e.g., '**label' for index 2).<br> When passing labels as a dictionary, use * instead of keyword arguments, since keywords aren't supported in that case.</p> <h1> ➂ Early Return + Function Execution </h1> <p>Here’s an example combining early return and function execution:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">triggon</span> <span class="kn">import</span> <span class="n">Triggon</span><span class="p">,</span> <span class="n">TrigFunc</span> <span class="c1"># Early return returns a predefined value # Function execution returns the result of the function </span><span class="n">tg</span> <span class="o">=</span> <span class="nc">Triggon</span><span class="p">({</span> <span class="sh">"</span><span class="s">skip</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Process stopped early!</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">call</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">,</span> <span class="p">})</span> <span class="n">F</span> <span class="o">=</span> <span class="nc">TrigFunc</span><span class="p">()</span> <span class="c1"># Create an instance for function wrapping </span> <span class="k">def</span> <span class="nf">example</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">If the </span><span class="sh">'</span><span class="s">call</span><span class="sh">'</span><span class="s"> flag is active, jump to example_2().</span><span class="sh">"</span><span class="p">)</span> <span class="n">tg</span><span class="p">.</span><span class="nf">trigger_func</span><span class="p">(</span><span class="sh">"</span><span class="s">call</span><span class="sh">"</span><span class="p">,</span> <span class="n">F</span><span class="p">.</span><span class="nf">example_2</span><span class="p">())</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Finished normally!</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">example_2</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">example_2() reached!</span><span class="sh">"</span><span class="p">)</span> <span class="n">tg</span><span class="p">.</span><span class="nf">trigger_return</span><span class="p">(</span><span class="sh">"</span><span class="s">skip</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># example() works on its own if the trigger isn't activated </span><span class="n">result</span> <span class="o">=</span> <span class="n">tg</span><span class="p">.</span><span class="nf">exit_point</span><span class="p">(</span><span class="sh">"</span><span class="s">skip</span><span class="sh">"</span><span class="p">,</span> <span class="n">F</span><span class="p">.</span><span class="nf">example</span><span class="p">())</span> <span class="nf">print</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> <span class="c1"># Activate the triggers to set off an early return and function call </span><span class="n">tg</span><span class="p">.</span><span class="nf">set_trigger</span><span class="p">([</span><span class="sh">"</span><span class="s">skip</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">call</span><span class="sh">"</span><span class="p">])</span> <span class="n">result</span> <span class="o">=</span> <span class="n">tg</span><span class="p">.</span><span class="nf">exit_point</span><span class="p">(</span><span class="sh">"</span><span class="s">skip</span><span class="sh">"</span><span class="p">,</span> <span class="n">F</span><span class="p">.</span><span class="nf">example</span><span class="p">())</span> <span class="nf">print</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># First output If the 'call' flag is active, jump to example_2(). Finished normally! # Second output If the 'call' flag is active, jump to example_2(). example_2() reached! Process stopped early! </code></pre> </div> <p>That’s a quick overview of how triggon works!<br> It’s especially helpful for temporary overrides or complex conditional flows.</p> <p><strong>This is still a beta release, so I’m actively fixing bugs and updating features.</strong><br> The source code is available on GitHub—feel free to check it out!</p> <p>Bug reports and feature suggestions are always welcome 🙌</p> <p>📘 For detailed docs and more examples:<br> <a href="https://github.com/tsuruko12/triggon/blob/main/README.md" rel="noopener noreferrer">README</a></p> python opensource library triggon