@treyweaver, the issue you are seeing is that all contexts are invalidated after TPM restart. As @tadeusz suggests you can either make the object persistent using the evict control tool. If you do this please remember the persistent handle you specify or the one used by the evictcontrol tool like 0x81000000 and now you can unseal with tpm2_unseal -c 0x81000000 even after TPM restarts. Alternatively you can also repeat the key loading step which gives you a valid key.ctx context file. Thanks and Regards, Imran Desai ________________________________________ From: tpm2 [tpm2-bounces(a)lists.01.org] on behalf of tpm2-request(a)lists.01.org [tpm2-request(a)lists.01.org] Sent: Friday, September 20, 2019 12:00 PM To: tpm2(a)lists.01.org Subject: tpm2 Digest, Vol 27, Issue 23 Send tpm2 mailing list submissions to tpm2(a)lists.01.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.01.org/mailman/listinfo/tpm2 or, via email, send a message with subject or body 'help' to tpm2-request(a)lists.01.org You can reach the person managing the list at tpm2-owner(a)lists.01.org When replying, please edit your Subject line so it is more specific than "Re: Contents of tpm2 digest..." Today's Topics: 1. Putting a persistant string into the tpm2 using tpm2_tools. (Trey Weaver) 2. Re: Putting a persistant string into the tpm2 using tpm2_tools. (Tadeusz Struk) ---------------------------------------------------------------------- Message: 1 Date: Fri, 20 Sep 2019 10:34:51 -0400 From: "Trey Weaver" <treyweaver(a)fastmail.net&gt; To: tpm2(a)lists.01.org Subject: [tpm2] Putting a persistant string into the tpm2 using tpm2_tools. Message-ID: <62b22807-115d-444b-af44-b1c0ab16daf9(a)www.fastmail.com&gt; Content-Type: text/plain; charset="us-ascii" I want to put a small string into the TPM2 and be able to recall it over restarts. Here is what I have tried: # put data in file that is to be sealed echo "my sealed data" > seal.dat # create a primary key tpm2_createprimary -c primary.ctx # create a child key in public and private parts tpm2_create -C primary.ctx -u obj.pub -r obj.priv # create a sealed object tpm2_create -C primary.ctx -i seal.dat -u obj.pub -r obj.priv # load the private and public portions into the TPM tpm2_load -C primary.ctx -u obj.pub -r obj.priv -c key.ctx # unseal the data tpm2_unseal -c key.ctx But after a power cycle if I run '*tpm2_unseal -c key.ctx*' I get this error: *WARNING:esys:src/tss2-esys/api/Esys_ContextLoad.c:279:Esys_ContextLoad_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_ContextLoad.c:93:Esys_ContextLoad() Esys Finish ErrorCode (0x000001df) ERROR: Esys_ContextLoad(0x1DF) - tpm:parameter(1):integrity check failed ERROR: Invalid item handle authorization ERROR: Unable to run tpm2_unseal* I am using the tpm_server (emulator) if that makes any difference. So what is the best way to load a small string into the tpm2 and be able to pull it out anytime in the future, even after power loss. Thanks