the generating user and the system keys to all users.  The
stored in TPM keys are called registered keys.

The keys that are stored in the disk are exported from the TPM but in an
encrypted form.  To access them two passwords are required.  The first
is the TPM Storage Root Key (SRK), and the other is a key-specific
password.  Also those keys are identified by a URL of the form:
tpmkey:file=/path/to/file

When objects require a PIN to be accessed the same callbacks as with
PKCS #11 objects are expected (see *note Accessing objects that require
a PIN::).  Note that the PIN function may be called multiple times to
unlock the SRK and the specific key in use.  The label in the key
function will then be set to 'SRK' when unlocking the SRK key, or to
'TPM' when unlocking any other key.