On the platforms that support TPM . Which method do you use to help harden your system ?
File integrity via master-password with the added benefit of protecting the portable $9$ format ?
Or
File encryption which seems supported on all platforms via the request system set-encryption and set-encryption-key commands ?
Reason I'm asking
The file integrity feature is not supported along with the configuration file encryption feature that uses keys saved in EEPROM. You can enable only one function at a time.
Here are some questions I have .
If I use the same EEPROM key on another SRX can I just load the config from another SRX1 onto SRX2 ?
Has anyone had issues upgrading the TPM firmware while master-password in use on production systems ?
Ive seen enough tickets in the past that makes me wounder about the TPM method as PC running bitlocker get boot locked out and needs service calls to boot the system. I cannot do that for devices hours away. Below is the post from the TechLibrary
"If for some reason, the encrypted master encryption password file is lost or corrupted, the system will not be able to decrypt the sensitive data. The system can only be recovered by re-importing the sensitive data in clear text, and re-encrypting them.
If the system is compromised, the administrator can recover the system using of the following method:
Clear the TPM ownership in u-boot and then install the image in boot loader using TFTP or USB (if USB port is not restricted)."