How to load and use a persistent symmetric key in the TPM?

Question

I simply want to store one 32 bytes long symmetric key persistently in the NV storage of the TPM and after a power-cycle, use it (without getting it out of the TPM) to encrypt small-sized data.

I've tried to do that in two different ways:

1)

• Create the key with TPM's random bytes generator
• Define space in NV and write the key in it
• Problem: I know how to read it, but how can I load it so I can use it inside the TPM?

2)

• Create an AES key with TPM2_Create command
• Make it persistent with TPM2_EvictControl command
• Through the same power cycle, I have its handle and I can load it and use it
• Problem: Similar to before, How to load it and use it after the next power cycle?

I scanned TCG's Specs and I even read this free practical guide to TPM2.0 and haven't found any clues to my problems.

What am I missing?

Answer 1

TPM2_EncryptDecrypt is meant to be used with symmetric keys. Pass the key handle you obtained with the TPM2_EvictControl as the @keyHandle parameter, and set the decrypt parameter appropriately. Set mode to TPM_ALG_NUL so the default mode is used.

Keep in mind that it's not practical to use the TPM for encrypting large amounts of data (what symmetric keys are typically used for).