Vcenter TrustedInfrastructure Hosts Hardware Tpm EndorsementKeys UnsealSpec

Vcenter TrustedInfrastructure Hosts Hardware Tpm EndorsementKeys UnsealSpec
Vcenter TrustedInfrastructure Hosts Hardware Tpm EndorsementKeys UnsealSpec

The Vcenter TrustedInfrastructure Hosts Hardware Tpm EndorsementKeys UnsealSpec schema contains information that describes the structures required to unseal a secret.

This schema was added in vSphere API 8.0.0.1.

JSON Example
{
    "public_area": "string",
    "private_area": "string",
    "seed": "string",
    "policy_pcr": {
        "pcrs": "string",
        "pcr_digest": "string"
    }
}
string As byte As byte
public_area
Required

The public area which corresponding to the Vcenter TrustedInfrastructure Hosts Hardware Tpm EndorsementKeys UnsealSpec.private_area secret that is being unsealed.

The public area is a TPM2B_PUBLIC structure.

Trusted Platform Module Library Part 2: Structures, Family "2.0", Level 00 Revision 01.59, November 8, 2019, Section 12.2.5 TPM2B_PUBLIC

This public area is used as the "objectPublic" input to the TPM2_Import command.

Trusted Platform Module Library Part 3: Commands, Family "2.0", Level 00 Revision 01.59, November 8, 2019, Section 13.3 TPM2_Import

This property was added in vSphere API 8.0.0.1.

string As byte As byte
private_area
Required

A private area that contains a secret to be unsealed.

The private area is symmetrically encrypted with the seed value derived from Vcenter TrustedInfrastructure Hosts Hardware Tpm EndorsementKeys UnsealSpec.seed.

The private area is a TPM2B_PRIVATE structure.

Trusted Platform Module Library Part 2: Structures, Family "2.0", Level 00 Revision 01.59, November 8, 2019, Section 12.3.7 TPM2B_PRIVATE

This private area is used as the "duplicate" input to the TPM2_Import command.

Trusted Platform Module Library Part 3: Commands, Family "2.0", Level 00 Revision 01.59, November 8, 2019, Section 13.3 TPM2_Import

This property was added in vSphere API 8.0.0.1.

string As byte As byte
seed
Required

A seed value that is encrypted by the TPM endorsement key.

The seed will be decrypted with the endorsement key and then will be used as a symmetric key to decrypt Vcenter TrustedInfrastructure Hosts Hardware Tpm EndorsementKeys UnsealSpec.private_area. This ensures that only a TPM with the expected endorsement key can unseal the secret.

The seed value is a TPM2B_ENCRYPTED_SECRET structure.

Trusted Platform Module Library Part 2: Structures, Family "2.0", Level 00 Revision 01.59, November 8, 2019, Section 11.4.3 TPM2B_ENCRYPTED_SECRET

This seed is used as the "inSymSeed" input to the TPM2_Import command.

Trusted Platform Module Library Part 3: Commands, Family "2.0", Level 00 Revision 01.59, November 8, 2019, Section 13.3 TPM2_Import

This property was added in vSphere API 8.0.0.1.

policy_pcr
Optional

PCR policy required to unseal the secret.

Used as input to the TPM2_PolicyPCR command on a session that is created for issuing the TPM2_Unseal command.

Trusted Platform Module Library Part 3: Commands, Family "2.0", Level 00 Revision 01.59, November 8, 2019, Section 23.7 TPM2_PolicyPCR

This property was added in vSphere API 8.0.0.1.

If missing or null, then a zeroed authorization policy is used for the TPM2_Unseal session.

Parameter To