May I know how to encrypt using the key generated by tpm2_ecdhzgen

[PunyHunter]

This is my process of ECDH key exchange, which generates a symmetric key(secret1. dat or secret2. dat)?
TPMA
tpm2_createprimary -C o -c primaryA.ctx
tpm2_create -C primaryA.ctx -c keyA.ctx -u ecdhA.pub -G ecc256:ecdh -r ecdhA.pri
tpm2_ecdhzgen -k ecdhB.pub -o secret1.dat -c keyA.ctx

TPMB
tpm2_createprimary -C o -c primaryB.ctx
tpm2_create -C primaryB.ctx -c keyB.ctx -u ecdhB.pub -G ecc256:ecdh -r ecdhB.pri
tpm2_ecdhzgen -k ecdhA.pub -o secret2.dat -c keyB.ctx

How should I use secret1. dat or secret2. dat to encrypt？tpm2_encryptdecrypt and tpm2_load seem useless.

[JuergenReppSIT]

Please check "Generate shared secret using ECDH keys": #3202

[PunyHunter]

Please check "Generate shared secret using ECDH keys": #3202
Thank you!Now I learn about how to create shared secret. My problem is how to load it into the TPM to encrypt something, or how to use it to generate the key used by the TPM.

[PunyHunter]

请检查“使用 ECDH 密钥生成共享密钥”：#3202 谢谢！现在，我将学习如何创建共享密钥。我的问题是如何将其加载到 TPM 中以加密某些内容，或者如何使用它来生成 TPM 使用的密钥。
May be should I use tpm2_ecephemeral ,and then put it in KDF to generate a pem key.import the pem?

[JuergenReppSIT]

If your TPM does not support TPM2_EncryptDecrypt you will get error 0x143 from tpm2_encryptdecrypt and you can use e.g. openssl for this purpose.
If your TPM supports TPM2_EncryptDecrypt you can encrypt/decrypt data with a symmetric key as in the following example:

tpm2_createprimary -C o -c primary.ctx
echo secret > secret.dat
cat /dev/urandom | head -c 16 > symkey.bin
tpm2_import -C primary.ctx -r symkey.priv -u symkey.pub -Gaes128 -i symkey.bin
tpm2_load -C primary.ctx -u symkey.pub -r symkey.priv -c symkey.ctx
tpm2_encryptdecrypt -c symkey.ctx -o secret.enc secret.dat
tpm2_encryptdecrypt -d -c symkey.ctx -o secret.dec secret.enc
cat secret.dec

[PunyHunter]

If your TPM does not support TPM2_EncryptDecrypt you will get error 0x143 from tpm2_encryptdecrypt and you can use e.g. openssl for this purpose. If your TPM supports TPM2_EncryptDecrypt you can encrypt/decrypt data with a symmetric key as in the following example:

tpm2_createprimary -C o -c primary.ctx
echo secret > secret.dat
cat /dev/urandom | head -c 16 > symkey.bin
tpm2_import -C primary.ctx -r symkey.priv -u symkey.pub -Gaes128 -i symkey.bin
tpm2_load -C primary.ctx -u symkey.pub -r symkey.priv -c symkey.ctx
tpm2_encryptdecrypt -c symkey.ctx -o secret.enc secret.dat
tpm2_encryptdecrypt -d -c symkey.ctx -o secret.dec secret.enc
cat secret.dec

Thanks for your answer. I think what you mean is that tpm2_import the share secret as a symmetric key.
tpm2_import(1) - Imports an external generated key as TPM managed key object. It requires that the parent key object be a RSA key.
It means that the algorithm of the primary key in your instance must be RSA?

[JuergenReppSIT]

I think what you mean is that tpm2_import the share secret as a symmetric key.

yes, you could use your shared secret instead of symkey.bin

It means that the algorithm of the primary key in your instance must be RSA?

No you can also use ECC keys (-G ecc)

[PunyHunter]

Thanks a lot.I know how to use the shared secret.