TPM 2.0 support

A TPM 2.0 chip built into a device can be used for basic security functions:

• Encryption of the setup partition and system partition

  The setup partition on a device's flash memory contains the device configuration, application definitions, and certificate store. The system partition holds the software packages of the firmware.

  In order to protect the system from manipulation, in addition to encryption, the disk is sealed with security measurements.

• Store the private key of a SCEP client certificate inside the TPM 2.0 module

  To store the key inside the TPM 2.0 module, a scep.ini entry is required. For further information, see Certificates for SCEP in the SCEP guide.

If you want to use TPM 2.0 via WLAN, note the special parameters in the configuration file wpa.conf. For further information, see Configuring WPA supplicant in the IEEE 802.1X short guide.

Requirements for disk encryption

• The devices are provided with a TPM 2.0 module.
• The devices are started in UEFI mode.

Disk encryption via TPM 2.0

If the device-side requirements are met, encryption can be enabled using two different mechanisms:

• Via the configuration parameter DiskEncryption

• Via the feature package Partition encryption installed with the image

  If you install the BaseOS package on the devices with the feature package Partition encryption enabled, the system will automatically be encrypted. The parameter DiskEncryption is then ignored.

  The feature package Partition encryption is enabled by default.

To encrypt the disk, the partitions must first be formatted. Therefore - as soon as the encryption is activated - a firmware update with previous formatting for the relevant devices is forced.

Encrypting the disk via parameter

1. In the Scout Console, for the relevant devices, open Advanced device configuration > Advanced file entries.

2. Define the following entry:

   File	/setup/terminal.ini
   Section	Security
   Entry	DiskEncryption
   Value	true	The default value is false.

   For further information, see Advanced file entries.

For the relevant devices, a firmware update is forced with previous disk formatting.

The configuration parameter has no effect on devices without TPM 2.0.

You can find information on whether the disk of the device is encrypted in the Properties window.

When new devices with TPM 2.0 chip are on-boarded to the Scout infrastructure and the destination OU is configured with DiskEncryption, it is ensured that the configuration data stored in the Scout Console is only saved locally on the device after the setup partition has been encrypted.

Update from earlier versions with disk encryption

Updates with disk encryption can only be performed from eLux RP 6.x. Upgrades from eLux RP 5 are not supported.

If you enable encryption when updating to a current eLux RP 6 version, one more update may be required on the next device restart. This is due to the partition formatting that is required for encryption.

Error handling

If a device fulfills the above-mentioned requirements for encryption and disk encryption still fails during the update, the setup partition will be partially cleaned like it is for a factory reset, without deleting the Scout Server address. The device status in the Scout Console is then displayed with a yellow icon (initialization).

Resetting the disk encryption

Requires  The feature package Partition encryption must be uninstalled on the relevant devices. This requires modifying the image definition file on the web server via ELIAS.

• Set the advanced file entry DiskEncryption to the value false.

  or

• Perform a factory reset for the devices. To do so, use the Remote factory reset command with the option Delete Scout Server address on the device.

During the restart of the relevant devices, the disk is decrypted. That is why the start up process takes longer.