As the name of the constant implies, the value of TSS_WELL_KNOWN_SECRET
is well known. It is just 20 bytes of zero.
But you don't actually need the value. The -z
option does not require a value, it's just a switch to tell the program to use the well known secret. The help text you cite also states this fact.
So a call to tpm_sealdata
might look like this:
tpm_sealdata -z -i data.in -o data.out
However, to use this method the SRK must have been created with the well known secret of course. When using tpm_takeownership
:
tpm_takeownership -z