I am new to TPMs and want to construct a minimal example ecrypting and decrypting a file (here for simplicity represented just by a bytes object). It want everything to be non-persistent, so that the encryption/decryption only works until reboot. Furthermore, I don't want the symmetric encryption key (AES in this case) to leave the TPM.

This is what I have so far:

from tpm2_pytss import *

with ESAPI() as esapi:

    primary = esapi.create_primary(
        in_sensitive=None,
        in_public="rsa2048",
        primary_handle=ESYS_TR.NULL
    )

    primary_handle = primary[0]

    symmetric = esapi.create(primary_handle, None, "aes128cfb")
    
    # Question: Can I construct this directly inside the TPM?
    # Here it looks like I am importing a key into the TPM that was
    # previously exported from it?
    key_handle = esapi.load(primary_handle, symmetric[0], symmetric[1])

    data = b"0123"

    buff, iv_out = esapi.encrypt_decrypt(
        key_handle,
        decrypt=False,
        mode=TPM2_ALG.AES,
        iv_in=(b'1' * 8),
        in_data=data
    )

    print(buff)
    print(iv_out)

Please also note the question(s) in the code above.

In this form, the example causes this output followed by the exception:

WARNING:esys:src/tss2-esys/api/Esys_EncryptDecrypt.c:328:Esys_EncryptDecrypt_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_EncryptDecrypt.c:110:Esys_EncryptDecrypt() Esys Finish ErrorCode (0x00000143) 
Traceback (most recent call last)
[...]
buff, iv_out = esapi.encrypt_decrypt(
               ^^^^^^^^^^^^^^^^^^^^^^
[...]
tpm2_pytss.TSS2_Exception.TSS2_Exception: tpm:error(2.0): command code not supported

How can I fix this and complete the example? Helpful resources for more info in this are also welcome, Google was not exactly helpful here.