diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 ## Changelog
 ### next
+  * tpm2_createak: support for non-persistent AK generation.
+  * tpm2_createek: support for non-persistent EK generation.
+  * tpm2_getpubak renamed to tpm2_createak, -f becomes -p and -f is used for format of public key
+    output.
+  * tpm2_getpubek renamed to tpm2_createek, -f becomes -p and -f is used for format of public key
+    output.
   * Libre SSL builds fixed.
   * Dynamic TCTIS. Support for pluggable TCTI modules via the -T or --tcti options.
   * tpm2_sign: supports signing a pre-computed hash via -D

diff --git a/Makefile.am b/Makefile.am
@@ -55,6 +55,8 @@ bin_PROGRAMS = \
     tools/tpm2_clear \
     tools/tpm2_clearlock \
     tools/tpm2_create \
+    tools/tpm2_createak \
+    tools/tpm2_createek \
     tools/tpm2_createpolicy \
     tools/tpm2_createprimary \
     tools/tpm2_dictionarylockout \
@@ -63,8 +65,6 @@ bin_PROGRAMS = \
     tools/tpm2_evictcontrol \
     tools/tpm2_flushcontext \
     tools/tpm2_getmanufec \
-    tools/tpm2_getpubak \
-    tools/tpm2_getpubek \
     tools/tpm2_getrandom \
     tools/tpm2_hash \
     tools/tpm2_hmac \
@@ -107,6 +107,8 @@ lib_libcommon_a_SOURCES = \
     lib/tpm2_alg_util.h \
     lib/tpm2_attr_util.c \
     lib/tpm2_attr_util.h \
+    lib/tpm2_ctx_mgmt.c \
+    lib/tpm2_ctx_mgmt.h \
     lib/tpm2_errata.c \
     lib/tpm2_errata.h \
     lib/tpm2_error.c \
@@ -157,8 +159,8 @@ tools_tpm2_getmanufec_LDADD = $(LDADD) $(CURL_LIBS)
 tools_tpm2_getmanufec_SOURCES = tools/tpm2_getmanufec.c $(TOOL_SRC)
 tools_tpm2_quote_SOURCES = tools/tpm2_quote.c $(TOOL_SRC)
 tools_tpm2_changeauth_SOURCES = tools/tpm2_changeauth.c $(TOOL_SRC)
-tools_tpm2_getpubek_SOURCES = tools/tpm2_getpubek.c $(TOOL_SRC)
-tools_tpm2_getpubak_SOURCES = tools/tpm2_getpubak.c $(TOOL_SRC)
+tools_tpm2_createek_SOURCES = tools/tpm2_createek.c $(TOOL_SRC)
+tools_tpm2_createak_SOURCES = tools/tpm2_createak.c $(TOOL_SRC)
 tools_tpm2_hash_SOURCES = tools/tpm2_hash.c $(TOOL_SRC)
 tools_tpm2_activatecredential_SOURCES = tools/tpm2_activatecredential.c $(TOOL_SRC)
 tools_tpm2_makecredential_SOURCES = tools/tpm2_makecredential.c $(TOOL_SRC)
@@ -284,6 +286,8 @@ if HAVE_PANDOC
     man/man1/tpm2_clear.1 \
     man/man1/tpm2_clearlock.1 \
     man/man1/tpm2_create.1 \
+    man/man1/tpm2_createak.1 \
+    man/man1/tpm2_createek.1 \
     man/man1/tpm2_createpolicy.1 \
     man/man1/tpm2_createprimary.1 \
     man/man1/tpm2_dictionarylockout.1 \
@@ -292,8 +296,6 @@ if HAVE_PANDOC
     man/man1/tpm2_evictcontrol.1 \
     man/man1/tpm2_flushcontext.1 \
     man/man1/tpm2_getmanufec.1 \
-    man/man1/tpm2_getpubak.1 \
-    man/man1/tpm2_getpubek.1 \
     man/man1/tpm2_getrandom.1 \
     man/man1/tpm2_hash.1 \
     man/man1/tpm2_hmac.1 \

diff --git a/lib/files.c b/lib/files.c
@@ -634,3 +634,6 @@ LOAD_TYPE(TPM2B_SENSITIVE, sensitive)
 
 SAVE_TYPE(TPMT_TK_HASHCHECK, validation)
 LOAD_TYPE(TPMT_TK_HASHCHECK, validation)
+
+SAVE_TYPE(TPM2B_PRIVATE, private)
+LOAD_TYPE(TPM2B_PRIVATE, private)
diff --git a/lib/files.h b/lib/files.h
@@ -213,6 +213,16 @@ bool files_load_ticket(const char *path, TPMT_TK_VERIFIED *ticket);
  */
 bool files_load_sensitive(const char *path, TPM2B_SENSITIVE *sensitive);
 
+/**
+ * Serializes a TPM2B_SENSITIVE to the file path provided.
+ * @param sensitive
+ *  The TPM2B_SENSITIVE to save to disk.
+ * @param path
+ *  The path to save to.
+ * @return
+ *  true on success, false on error.
+ */
+bool files_save_sensitive(TPM2B_SENSITIVE *sensitive, const char *path);
 /**
  * Serializes a TPMT_TK_HASHCHECK to the file path provided.
  * @param validation
@@ -235,6 +245,28 @@ bool files_save_validation(TPMT_TK_HASHCHECK *validation, const char *path);
  */
 bool files_load_validation(const char *path, TPMT_TK_HASHCHECK *validation);
 
+/**
+ * Serializes a TPM2B_PRIVATE to the file path provided.
+ * @param private
+ *  The TPM2B_PRIVATE to save to disk.
+ * @param path
+ *  The path to save to.
+ * @return
+ *  true on success, false on error.
+ */
+bool files_save_private(TPM2B_PRIVATE *private, const char *path);
+
+/**
+ * Loads a TPM2B_PRIVATE from disk.
+ * @param private
+ *  The path to load from.
+ * @param validation
+ *  The TPM2B_PRIVATE to load.
+ * @return
+ *  true on success, false on error.
+ */
+bool files_load_private(const char *path, TPM2B_PRIVATE *private);
+
 /**
  * Checks a file for existence.
  * @param path

diff --git a/lib/tpm2_ctx_mgmt.c b/lib/tpm2_ctx_mgmt.c
@@ -0,0 +1,31 @@
+#include <stdbool.h>
+
+#include <sapi/tpm20.h>
+
+#include "log.h"
+#include "tpm2_ctx_mgmt.h"
+
+bool tpm2_ctx_mgmt_evictcontrol(TSS2_SYS_CONTEXT *sapi_context,
+        TPMI_RH_PROVISION provision,
+        TPMS_AUTH_COMMAND *sdata,
+        TPMI_DH_OBJECT objhandle,
+        TPMI_DH_PERSISTENT phandle) {
+
+    TSS2L_SYS_AUTH_COMMAND sessionsData =
+        TSS2L_SYS_AUTH_COMMAND_INIT(1, { *sdata });
+
+    TSS2L_SYS_AUTH_RESPONSE sessionsDataOut;
+
+    TSS2_RC rval = TSS2_RETRY_EXP(Tss2_Sys_EvictControl(sapi_context,
+        provision,
+        objhandle,
+        &sessionsData,
+        phandle,
+        &sessionsDataOut));
+    if (rval != TSS2_RC_SUCCESS) {
+        LOG_PERR(Tss2_Sys_EvictControl, rval);
+        return false;
+    }
+
+    return true;
+}
diff --git a/lib/tpm2_ctx_mgmt.h b/lib/tpm2_ctx_mgmt.h
@@ -0,0 +1,25 @@
+#ifndef LIB_TPM2_CTX_MGMT_H_
+#define LIB_TPM2_CTX_MGMT_H_
+
+/**
+ * Invokes evictcontrol for manipulating the persistence of loaded
+ * objects in TPM memory.
+ * @param sapi_context
+ *  The system api context
+ * @param sdata
+ *  The authorization data.
+ * @param objhandle
+ *  The object handle to manipulate.
+ * @param phandle
+ *  The persistent handle to use.
+ * @return
+ *  True on success, False on error.
+ *  Use LOG_PERR() to output error information.
+ */
+bool tpm2_ctx_mgmt_evictcontrol(TSS2_SYS_CONTEXT *sapi_context,
+        TPMI_RH_PROVISION provision,
+        TPMS_AUTH_COMMAND *sdata,
+        TPMI_DH_OBJECT objhandle,
+        TPMI_DH_PERSISTENT phandle);
+
+#endif /* LIB_TPM2_CTX_MGMT_H_ */
diff --git a/lib/tpm2_hierarchy.c b/lib/tpm2_hierarchy.c
@@ -110,3 +110,27 @@ bool tpm2_hierarchy_from_optarg(const char *value,
 
     return result;
 }
+
+bool tpm2_hierarrchy_create_primary(TSS2_SYS_CONTEXT *sapi_context,
+        TPMS_AUTH_COMMAND *sdata,
+        tpm2_hierearchy_pdata *objdata) {
+
+    TSS2L_SYS_AUTH_COMMAND sessionsData =
+            TSS2L_SYS_AUTH_COMMAND_INIT(1, {*sdata});
+
+    TSS2L_SYS_AUTH_RESPONSE sessionsDataOut;
+    TSS2_RC rval = TSS2_RETRY_EXP(
+            Tss2_Sys_CreatePrimary(sapi_context, objdata->in.hierarchy,
+                &sessionsData, &objdata->in.sensitive, &objdata->in.public,
+                &objdata->in.outside_info, &objdata->in.creation_pcr,
+                &objdata->out.handle, &objdata->out.public,
+                &objdata->out.creation.data, &objdata->out.hash,
+                &objdata->out.creation.ticket, &objdata->out.name,
+                &sessionsDataOut));
+    if (rval != TPM2_RC_SUCCESS) {
+        LOG_PERR(Tss2_Sys_CreatePrimary, rval);
+        return false;
+    }
+
+    return true;
+}
diff --git a/lib/tpm2_hierarchy.h b/lib/tpm2_hierarchy.h
@@ -50,4 +50,75 @@ enum tpm2_hierarchy_flags {
 bool tpm2_hierarchy_from_optarg(const char *value,
         TPMI_RH_PROVISION *hierarchy, tpm2_hierarchy_flags flags);
 
+typedef struct tpm2_hierearchy_pdata tpm2_hierearchy_pdata;
+struct tpm2_hierearchy_pdata {
+    struct {
+        TPMI_RH_HIERARCHY hierarchy;
+        TPM2B_SENSITIVE_CREATE sensitive;
+        TPM2B_PUBLIC public;
+        TPM2B_DATA outside_info;
+        TPML_PCR_SELECTION creation_pcr;
+        TPM2_HANDLE object_handle;
+    } in;
+    struct {
+        TPM2_HANDLE handle;
+        TPM2B_PUBLIC public;
+        TPM2B_DIGEST hash;
+        struct {
+            TPM2B_CREATION_DATA data;
+            TPMT_TK_CREATION ticket;
+        } creation;
+        TPM2B_NAME name;
+    } out;
+};
+
+#define _PUBLIC_AREA_TPMA_OBJECT_DEFAULT_INIT { \
+    .publicArea = { \
+        .nameAlg = TPM2_ALG_SHA256, \
+        .type = TPM2_ALG_RSA, \
+        .objectAttributes = \
+            TPMA_OBJECT_RESTRICTED|TPMA_OBJECT_DECRYPT \
+            |TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT \
+            |TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH, \
+        .parameters = { \
+            .rsaDetail = { \
+                .exponent = 0, \
+                .symmetric = { \
+                    .algorithm = TPM2_ALG_AES, \
+                    .keyBits = { .aes = 128 }, \
+                    .mode = { .aes = TPM2_ALG_CFB }, \
+                 }, \
+            .scheme = { .scheme = TPM2_ALG_NULL }, \
+            .keyBits = 2048 \
+            }, \
+        }, \
+            .unique = { .rsa = { .size = 0 } } \
+    }, \
+}
+
+#define TPM2_HIERARCHY_DATA_INIT { \
+    .in = { \
+        .public = _PUBLIC_AREA_TPMA_OBJECT_DEFAULT_INIT, \
+        .sensitive = TPM2B_SENSITIVE_CREATE_EMPTY_INIT, \
+        .hierarchy = TPM2_RH_NULL \
+    }, \
+}
+
+/**
+ * Creates a primary object.
+ * @param sapi_context
+ *  The system api context
+ * @param sdata
+ *  The authorization data for the hierarchy the primary object
+ *  is associated with.
+ * @param objdata
+ *  The objects data configuration.
+ * @return
+ *  True on success, False on error.
+ *  Logs errors via LOG_ERR().
+ */
+bool tpm2_hierarrchy_create_primary(TSS2_SYS_CONTEXT *sapi_context,
+        TPMS_AUTH_COMMAND *sdata,
+        tpm2_hierearchy_pdata *objdata);
+
 #endif /* TOOLS_TPM2_HIERARCHY_H_ */