TPM 2.0 support

– for eLux RP 6.7 and later versions –

A TPM 2.0 chip built into the device can be used for basic security functions:

If you want to use TPM 2.0 via WLAN, note the special parameters in the configuration file wpa.conf.For further information, see Configuring WPA supplicant in the IEEE 802.1X short guide.

Requirements for disk encryption

Disk encryption via TPM 2.0

– from eLux RP 6.10 –

If the device-side requirements are met, encryption can be enabled using two different mechanisms:

To encrypt the disk, the partitions must first be formatted. Therefore - as soon as the encryption is activated - a firmware update with previous formatting for the relevant devices is forced.

Encrypting the disk via parameter

– from eLux RP 6.10 –

  1. In the Scout Console, for the relevant devices, open Advanced device configuration > Advanced file entries.

  2. Define the following entry:

    File /setup/terminal.ini  
    Section Security  
    Entry DiskEncryption  
    Value true The default value is false.

    For further information, see Advanced file entries.

For the relevant devices a firmware update is forced with previous disk formatting.

The configuration parameter has no effect on devices without TPM 2.0.

You can find information on whether the disk of the device is encrypted in the Properties window.4

When new devices with TPM 2.0 chip are added to the Scout infrastructure (onboarding) and the destination OU is configured with DiskEncryption, it is ensured that the configuration data stored in the Scout Console is only saved locally on the device after the setup partition has been encrypted.

Update from earlier versions to eLux RP 6.10

Updates with disk encryption can only be performed from eLux RP 6.x. Upgrades from eLux RP 5 are not supported.

If you enable encryption when updating to eLux RP 6.10, another update may be required on the next device restart. This is due to the partition formatting that is required for encryption.

The DiskEncryption parameter replaces the CryptSetupPartition parameter of previous versions,5 but is maintained for backward compatibility. From eLux RP 6.10, CryptSetupPartition has the same function as DiskEncryption and therefore encrypts setup and system partition.

Error handling

If a device fulfills the above-mentioned requirements for encryption and disk encryption still fails during the update, the setup partition will be partially cleaned like it is for a factory reset without deleting the Scout Server address. The device status in the Scout Console is then displayed with a yellow icon (initialization).

Resetting the disk encryption

Requires 

The feature package Partition encryption must be uninstalled on the relevant devices. This requires modifying the image definition file on the web server via ELIAS.

During the restart of the relevant devices, the disk is decrypted. That is why the start up process takes longer.

Downgrade to earlier versions < eLux RP 6.10

Devices with encrypted disk cannot be downgraded to eLux RP 6.9.100. If a downgrade is necessary, the disk must be decrypted first.