This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.

Anyone using TPM + master-password or using EEPROM file encryption ?

  • 1.  Anyone using TPM + master-password or using EEPROM file encryption ?

    Posted 06-09-2021 10:40

    On the platforms that support TPM .   Which method do you use to help harden your system ?
    File integrity via master-password with the added benefit of protecting the portable $9$ format ?
    File encryption which seems supported on all platforms via the request system set-encryption and  set-encryption-key commands ?

    Reason I'm asking
    The file integrity feature is not supported along with the configuration file encryption feature that uses keys saved in EEPROM. You can enable only one function at a time.

    Here are some  questions I have .
    If I use the same EEPROM key  on another SRX  can I just load the config from another SRX1 onto SRX2  ? 

    Has anyone  had issues upgrading the TPM firmware while master-password in use on production  systems ?
    Ive seen enough tickets in the past that makes me wounder about the TPM method as PC running bitlocker  get boot locked out and needs service calls to boot the system. I cannot do that for devices hours away.   Below is the post from the  TechLibrary
    "If for some reason, the encrypted master encryption password file is lost or corrupted, the system will not be able to decrypt the sensitive data. The system can only be recovered by re-importing the sensitive data in clear text, and re-encrypting them.
    If the system is compromised, the administrator can recover the system using of the following method:
    Clear the TPM ownership in u-boot and then install the image in boot loader using TFTP or USB (if USB port is not restricted)."