Does certutil's -csp "Microsoft Platform Crypto Provider" option store the private key in the TPM?

Question

Does certutil -csp "Microsoft Platform Crypto Provider" -importpfx options really store the private key in the TPM? I am wondering why the output of certutil -key -csp "Microsoft Platform Crypto Provider" shows me a location on the harddisk...

Microsoft Platform Crypto Provider:
Test-637559044681743771-7df36675-f51c-4067-9f6d-31ca33d290b7
C:\ProgramData\Microsoft\Crypto\PCPKSP\33b114867a192aae5b73a3a968437c129ab577a4\ec03c4aa087abc780c3ff6448624456b0d1bf68c.PCPKEY RSA

score 0 · Accepted Answer · answered Jul 12 '21 at 17:01

0

The private key is wrapped by a key in the TPM (usually the Storage Root Key) and saved to disk. The TPM has to unlock the private key, so it is still secured by the TPM.

It is possible to store a few keys in the TPM, but that's not typical.

answered Jul 12 '21 at 17:01

melds

166
4

Does certutil's -csp "Microsoft Platform Crypto Provider" option store the private key in the TPM?

1 Answers1