TPM 2.0 support

– for eLux RP 6.7 and later versions –

A TPM 2.0 chip built into the device can be used for basic security functions:

• Encryption of the setup partition1 from eLux RP 6.7 and system partition2 from eLux RP 6.10

  The setup partition on the device's flash memory contains the device configuration, application definitions, and certificate store. The system partition holds the software packages of the firmware.

  In order to protect the system from manipulation, in addition to encryption, the disk is sealed with security measurements.3 from eLux RP 6.10

• Store the private key of a SCEP client certificate inside the TPM 2.0 module

  To store the key inside the TPM 2.0 module, a scep.ini entry is required. For further information, see Certificates for SCEP in the SCEP guide.

If you want to use TPM 2.0 via WLAN, note the special parameters in the configuration file wpa.conf.For further information, see Configuring WPA supplicant in the IEEE 802.1X short guide.

Requirements for disk encryption

• The devices are provided with a TPM 2.0 module.
• The devices are started in UEFI mode.

Disk encryption via TPM 2.0

– from eLux RP 6.10 –

If the device-side requirements are met, encryption can be enabled using two different mechanisms:

• Via the configuration parameter DiskEncryption

• Via the feature package Partition encryption installed with the image

  If the BaseOS package for eLux RP 6.10 or later is installed on the devices with the feature package Partition encryption enabled, the system is automatically encrypted. The parameter DiskEncryption is then ignored.

  The feature package Partition encryption is enabled by default.

To encrypt the disk, the partitions must first be formatted. Therefore - as soon as the encryption is activated - a firmware update with previous formatting for the relevant devices is forced.

Encrypting the disk via parameter

– from eLux RP 6.10 –

1. In the Scout Console, for the relevant devices, open Advanced device configuration > Advanced file entries.

2. Define the following entry:

   File	/setup/terminal.ini
   Section	Security
   Entry	DiskEncryption
   Value	true	The default value is false.

   For further information, see Advanced file entries.

For the relevant devices a firmware update is forced with previous disk formatting.

The configuration parameter has no effect on devices without TPM 2.0.

You can find information on whether the disk of the device is encrypted in the Properties window.4 for Scout 15.8 and later versions

When new devices with TPM 2.0 chip are added to the Scout infrastructure (onboarding) and the destination OU is configured with DiskEncryption, it is ensured that the configuration data stored in the Scout Console is only saved locally on the device after the setup partition has been encrypted.

Update from earlier versions to eLux RP 6.10

Updates with disk encryption can only be performed from eLux RP 6.x. Upgrades from eLux RP 5 are not supported.

If you enable encryption when updating to eLux RP 6.10, another update may be required on the next device restart. This is due to the partition formatting that is required for encryption.

The DiskEncryption parameter replaces the CryptSetupPartition parameter of previous versions,5 eLux RP 6.7 to eLux RP 6.9 but is maintained for backward compatibility. From eLux RP 6.10, CryptSetupPartition has the same function as DiskEncryption and therefore encrypts setup and system partition.

Error handling

If a device fulfills the above-mentioned requirements for encryption and disk encryption still fails during the update, the setup partition will be partially cleaned like it is for a factory reset without deleting the Scout Server address. The device status in the Scout Console is then displayed with a yellow icon (initialization).

Resetting the disk encryption

Requires  The feature package Partition encryption must be uninstalled on the relevant devices. This requires modifying the image definition file on the web server via ELIAS.

• Set the advanced file entry DiskEncryption6 alternatively CryptSetupPartition to the value false.

  or

• Perform a factory reset for the devices. To do so, use the Remote factory reset command with the option Delete Scout Server address on the device.

During the restart of the relevant devices, the disk is decrypted. That is why the start up process takes longer.

Downgrade to earlier versions < eLux RP 6.10

Devices with encrypted disk cannot be downgraded to eLux RP 6.9.100. If a downgrade is necessary, the disk must be decrypted first.