TPM – ECC based encryption / decryption using the public key
Our device comes with a device certificate which was signed with our private registration authority (CA). The private key (type ECC) was generated on the device itself - to be more specific directly on the on-board TPM. The public key is included inside the device certificate.
Now we have a use-case where we want to encrypt some sensitive files to be used on the device and wondered how we could do this with existing mechanisms. Could the public ECC key inside the device certificate (or something derived from it) be used to encrypt data that only the device would be able to decrypt using its private TPM-based ECC key (or something derived from it)?
What options do we have to encrypt something for the device while using device-specific information? We would not like that the encrypted file would work on every device which would be the case if we used a shared secret and symmetric encryption directly.