Seems to work for me, what version of the tools are you using?

I modified the test and it seems to work as expected (if I drop the password in tpm2 sign it fails)

git diff
diff --git a/test/integration/tests/ b/test/integration/tests/
index ff8f9b3b96eb..d22cdb41a73b 100644
--- a/test/integration/tests/
+++ b/test/integration/tests/
@@ -117,13 +117,13 @@ run_ecc_import_test() {
     shasum -a 256 | awk '{ print "000000 " $1 }' | xxd -r -c 32 > \
-    tpm2 import -Q -G ecc -g "$name_alg" -i private.ecc.pem -C $1 -u \
+    tpm2 import -Q -G ecc -g "$name_alg" -p password -i private.ecc.pem -C $1 -u \
     -r ecc.priv
     tpm2 load -Q -C $1 -u -r ecc.priv -n -c ecc.ctx
     # Sign in the TPM and verify with OSSL
-    tpm2 sign -Q -c ecc.ctx -g sha256 -d -f plain -o data.out.signed \
+    tpm2 sign -Q -c ecc.ctx -p password -g sha256 -d -f plain -o data.out.signed \
     openssl dgst -verify public.ecc.pem -keyform pem -sha256 \
     -signature data.out.signed

From: Ted Kim <>
Sent: Monday, April 19, 2021 4:24 PM
To: <>
Subject: [tpm2] Re: does -p (password) work with tpm2_import ?

On 4/16/21 11:28 AM, Ted Kim wrote:
> Folks,
> I tried tpm2_import with the -p option with a password, and it doesn't
> seem to work for me.
> Subsequent tpm2_rsadecrypt commands using the key from the import seem
> to work fine without any -p option.
> * Does import work with -p ?  Is there something I have overlooked in
> this?

Further, if you actually supply the correct password to tpm2_rsadecrypt
command with the -p option, you get an auth error:

Received TPM Error
Esys Finish ErrorCode (0x0000098e)
ERROR: Esys_RSA_Decrypt(0x98E) - tpm:session(1):the authorization HMAC
check failed and DA counter incremented
ERROR: Unable to run tpm2_rsadecrypt

Trying this same sequence with a key created with tpm2_create works
fine, so am thinking there is something wrong with tpm2_import not
processing the -p properly.

Can the maintainers look into this?


> I understand that tpm2_rsaencrypt does not take the -p option in line
> with the idea of using a "public" key.
> * Is it correct to say that if I want to have authorization on
> encryption, I have to use tpm2_encryptdecrypt (i.e. use symmetric keys) ?
> Thanks,
> -ted
tpm2 mailing list --
To unsubscribe send an email to