" the key is to be provided as a hex string or in binary\n"
" format; the keyfile can be automatically removed using\n"
" the remove parameter\n"
-"--key pwdfile=<path>[,mode=aes-cbc|aes-256-cbc][,remove=[true|false]]\n"
+"--key pwdfile=<path>[,mode=aes-cbc|aes-256-cbc][,remove=[true|false]][,kdf=sha512|pbkdf2]\n"
" : provide a passphrase in a file; the AES key will be\n"
-" derived from this passphrase\n"
+" derived from this passphrase; default kdf is PBKDF2\n"
"--locality [reject-locality-4][,allow-set-locality]\n"
" : reject-locality-4: reject any command in locality 4\n"
" allow-set-locality: accept SetLocality command\n"
" when it is retrieved from the TPM via ioctls;\n"
" Setting this key ensures that the TPM's state will always\n"
" be encrypted when migrated\n"
-"--migration-key pwdfile=<path>[,mode=aes-cbc|aes-256-cbc][,remove=[true|false]]\n"
+"--migration-key pwdfile=<path>[,mode=aes-cbc|aes-256-cbc][,remove=[true|false]][,kdf=sha512|pbkdf2]\n"
" : provide a passphrase in a file; the AES key will be\n"
-" derived from this passphrase\n"
+" derived from this passphrase; default kdf is PBKDF2\n"
"--log file=<path>|fd=<filedescriptor>[,level=n][,prefix=<prefix>][,truncate]\n"
" : write the TPM's log into the given file rather than\n"
" to the console; provide '-' for path to avoid logging\n"
" when it is retrieved from the TPM via ioctls;\n"
" Setting this key ensures that the TPM's state will always\n"
" be encrypted when migrated\n"
- "--migration-key pwdfile=<path>[,mode=aes-cbc|aes-256-cbc][,remove=[true|false]]\n"
+ "--migration-key pwdfile=<path>[,mode=aes-cbc|aes-256-cbc][,remove=[true|false]][,kdf=sha512|pbkdf2]\n"
" : provide a passphrase in a file; the AES key will be\n"
- " derived from this passphrase\n"
+ " derived from this passphrase; default kdf is PBKDF2\n"
"--log file=<path>|fd=<filedescriptor>[,level=n][,prefix=<prefix>][,truncate]\n"
" : write the TPM's log into the given file rather than\n"
" to the console; provide '-' for path to avoid logging\n"
" the key is to be provided as a hex string or in binary\n"
" format; the keyfile can be automatically removed using\n"
" the remove parameter\n"
- "--key pwdfile=<path>[,mode=aes-cbc|aes-256-cbc][,remove=[true|false]]\n"
+ "--key pwdfile=<path>[,mode=aes-cbc|aes-256-cbc][,remove=[true|false]][,kdf=sha512|pbkdf2]\n"
" : provide a passphrase in a file; the AES key will be\n"
- " derived from this passphrase\n"
+ " derived from this passphrase; default kdf is PBKDF2\n"
"--locality [reject-locality-4][,allow-set-locality]\n"
" : reject-locality-4: reject any command in locality 4\n"
" allow-set-locality: accept SetLocality command\n"
" when it is retrieved from the TPM via ioctls;\n"
" Setting this key ensures that the TPM's state will always\n"
" be encrypted when migrated\n"
- "--migration-key pwdfile=<path>[,mode=aes-cbc|aes-256-cbc][,remove=[true|false]]\n"
+ "--migration-key pwdfile=<path>[,mode=aes-cbc|aes-256-cbc][,remove=[true|false]][,kdf=sha512|pbkdf2]\n"
" : provide a passphrase in a file; the AES key will be\n"
- " derived from this passphrase\n"
+ " derived from this passphrase; default kdf is PBKDF2\n"
"--log file=<path>|fd=<filedescriptor>[,level=n][,prefix=<prefix>][,truncate]\n"
" : write the TPM's log into the given file rather than\n"
" to the console; provide '-' for path to avoid logging\n"
" the key is to be provided as a hex string or in binary\n"
" format; the keyfile can be automatically removed using\n"
" the remove parameter\n"
- "--key pwdfile=<path>[,mode=aes-cbc|aes-256-cbc][,remove=[true|false]]\n"
+ "--key pwdfile=<path>[,mode=aes-cbc|aes-256-cbc][,remove=[true|false]][,kdf=sha512|pbkdf2]\n"
" : provide a passphrase in a file; the AES key will be\n"
- " derived from this passphrase\n"
+ " derived from this passphrase; default kdf is PBKDF2\n"
"--pid file=<path>|fd=<filedescriptor>\n"
" : write the process ID into the given file\n"
"--tpmstate dir=<dir>[,mode=0...]\n"