I did a lot of research, but I still have some issues with concept of the TPM and his handling with keys.

First at all, the task is to create a RSA-Key for encryption. We want to use this later for verifing the communication between multiple clients and server. Each client has his own Key.

So the idea was, we use the TPM for the unique and safety reason. We are using mostly windows and .NET Core, so first catch is TSS.Net. I checked the source code for better understanding and I go through the samples that are provided inside.

During the tests I got some trouble, maybe I'm thinking in the wrong direction, but what I tried or want to.

Creating the Key inside the TPM (or a previosly created key and import this). Export the public part for storing, because I need this on server side.

My problem here is, I do not see, how can I access the correct key after a restart of the application or machine. I do not see the bookmark/key that I can use later. In simple, I just want a function where I can say, give me the key with the name "xxx". I only see the TPMHandle. See the Code below.

So for me the main questions is. How can i retrieve access to the Key, once he is stored/protected by the TPM?

Second question, How can i convert the TPMPublic or TSSObject into a valid format for storing and later usage. I do not see, how can I export these correct, so that I can use these on the server. Bytestream or something. The regular RSACryptoProvider has some functions for export the Keys to XML or in PEM-Format.

So finally, I just need some clarification. I don't want just a solution, I also want to understand what happens.

P.S.:

I use mainly the code from the samples, as long I have no further understanding of the concept see url: .MSR/blob/main/TSS.NET/Samples/Import/Program.cs

e.g, for the Import

        static void GenerateAndImport(Tpm2 tpm, TpmPublic keyPub, TpmHandle hParent)
        {
            //
            // Create a software key with the given template
            //

            // Generate a random auth value for the key to be created (though we could use an empty buffer, too).
            var keyAuth = AuthValue.FromRandom(CryptoLib.DigestSize(keyPub.nameAlg));

            // Generate the key
            TssObject swKey = TssObject.Create(keyPub, keyAuth);

            //
            // Create duplication blob for the new key with the SRK as the new parent
            //

            // Retrieve the public area of the intended parent key from the TPM 
            // We do not need the name (and qualified name) of the key here, but
            // the TPM command returns them anyway.
            // NOTE - Alternatively we could get the public area from the overloaded
            // form of the CreateRsaPrimaryStorageKey() helper used to create the parent
            // key, as all TPM key creation commands (TPM2_CreatePrimary(), TPM2_Create()
            // and TPM2_CreateLoaded()) return it.
            byte[] name, qname;
            TpmPublic pubParent = tpm.ReadPublic(hParent, out name, out qname);

            byte[] encSecret;
            TpmPrivate dupBlob = swKey.GetDuplicationBlob(pubParent, null, out encSecret);

            // Import the duplication blob into the TPM
            TpmPrivate privImp = tpm.Import(hParent, null, swKey.Public, dupBlob, encSecret, new SymDefObject());

            // Load the imported key ...
            TpmHandle hKey = tpm.Load(hParent, privImp, swKey.Public)
                                .SetAuth(swKey.Sensitive.authValue);

            // ... and validate that it works
            byte[] message = Globs.GetRandomBytes(32);

            if (keyPub.objectAttributes.HasFlag(ObjectAttr.Decrypt))
            {
                // Encrypt something
                if (keyPub.type == TpmAlgId.Symcipher)
                {
                    // Only need software symcypher here to query IV size.
                    // Normally, when you use a fixed algorithm, you can hardcode it.
                    var swSym = SymCipher.Create(keyPub.parameters as SymDefObject);
                    byte[] ivIn = Globs.GetRandomBytes(swSym.IVSize),
                           ivOut = null;
                    byte[] cipher = swKey.Encrypt(message, ref ivIn, out ivOut);

                    // Not all TPMs implement TPM2_EncryptDecrypt() command
                    tpm._ExpectResponses(TpmRc.Success, TpmRc.TbsCommandBlocked);
                    byte[] decrypted = tpm.EncryptDecrypt(hKey, 1, TpmAlgId.Null, ivIn,
                                                    cipher, out ivOut);
                    if (tpm._LastCommandSucceeded())
                    {
                        bool decOk = Globs.ArraysAreEqual(message, decrypted);
                        Console.WriteLine("Imported symmetric key validation {0}",
                                          decOk ? "SUCCEEDED" : "FAILED");
                    }
                }
            }
            else
            {
                // Sign something (works for both asymmetric and MAC keys)
                string keyType = keyPub.type == TpmAlgId.Rsa ? "RSA"
                               : keyPub.type == TpmAlgId.Keyedhash ? "HMAC"
                               : "UNKNOWN"; // Should not happen in this sample
                TpmAlgId sigHashAlg = GetSchemeHash(keyPub);
                TpmHash toSign = TpmHash.FromData(sigHashAlg, message);
                var proofx = new TkHashcheck(TpmRh.Null, null);
                ISignatureUnion sig = tpm.Sign(hKey, toSign, null, proofx);
                bool sigOk = swKey.VerifySignatureOverHash(toSign, sig);
                Console.WriteLine("Imported {0} key validation {1}", keyType,
                                  sigOk ? "SUCCEEDED" : "FAILED");
            }

            // Free TPM resources taken by the loaded imported key
            tpm.FlushContext(hKey);
        } // GenerateAndImport

So here between the call of tpm.import and tpm.load, if I had here a break. how can I retrieve the correct objects later, if I need the imported key?