What is Zeroize TPM keys?

MVP
MVP
Q:

What is Zeroize TPM keys?



A:

This feature is available only in FIPS images. Zeroizing a cryptographic module involves erasing sensitive parameters such as electronically stored data, cryptographic keys, and critical security parameters from a controller to prevent their disclosure if the equipment must be permanently and irreversibly decommissioned.

The following commands are introduced in ArubaOS 8.2.1.1:
zeroize-tpm-keys - This command is used to erase the TPM contents and render the controller permanently inoperable.

Note: Do not use this command prior to RMA. This is for permanent decommission of a controller and will void any support or warranty entitlement.

 

The following example shows how to erase the TPM contents when the zeroize-tpm-keys command is executed.

(host) [mynode] #zeroize-tpm-keys
The effect of the action you are about to execute is not reversible. Are you sure you want to implement this function? Press 'y' to proceed : [y/n]: y
This action will void the warranty on the controller and nullify the RMA. Are you still sure you want to do this?(y/n): y
You are about to wipe the contents of the TPM and render the controller permanently inoperable. Are you ready to go ahead?(y/n): y
TPM keys have been zeroized. Please reload the controller.

 

show tpm error log - This command displays the TPM initialization errors for controllers.

The following example displays the TPM initialization errors when the 'show tpm errorlog' command is executed.

(host) [mynode] #show tpm errorlog

05032018:15:30:25>>ERROR>>TPM LoadKey Command failed with return code (0x00000006)
05032018:15:30:25>>ERROR>>TpmLoadKey Failed for Certified Key
05032018:15:30:34>>ERROR>>TPM LoadKey Command failed with return code (0x00000006)
05032018:15:30:34>>ERROR>>TpmLoadKey Failed for Certified Key
05032018:15:30:44>>ERROR>>TPM LoadKey Command failed with return code (0x00000006)
05032018:15:30:44>>ERROR>>TpmLoadKey Failed for Certified Key
05032018:15:30:54>>ERROR>>TPM LoadKey Command failed with return code (0x00000006)
05032018:15:30:54>>ERROR>>TpmLoadKey Failed for Certified Key
05032018:15:30:54>>ERROR>>TPM Setup at System Initialization failed
05032018:15:31:03>>ERROR>>TPM LoadKey Command failed with return code (0x00000006) 
05032018:15:31:03>>ERROR>>TpmLoadKey Failed for Certified Key
05032018:15:31:13>>ERROR>>TPM LoadKey Command failed with return code (0x00000006) 
05032018:15:31:13>>ERROR>>TpmLoadKey Failed for Certified Key
05032018:15:31:23>>ERROR>>TPM LoadKey Command failed with return code (0x00000006) 
05032018:15:31:23>>ERROR>>TpmLoadKey Failed for Certified Key
05032018:15:31:32>>ERROR>>TPM LoadKey Command failed with return code (0x00000006) 
05032018:15:31:32>>ERROR>>TpmLoadKey Failed for Certified Key
05032018:15:31:32>>ERROR>>TPM Setup at System Initialization failed
05032018:15:31:32>>ERROR>>TPM or Device Cert Initialization failed.
05032018:15:31:40>>ERROR>>Error while opening /tmp/tpmKeyHandles.bin for reading TPM Handles,errno(2) 
05032018:15:31:40>>ERROR>>FindTpmKeyHandle for key ID 0x00000002 failed
05032018:15:32:39>>ERROR>>Error getting Intermediate Certificates for the device
05032018:15:33:23>>ERROR>>Error while opening /tmp/tpmKeyHandles.bin for reading TPM Handles,errno(2) 
05032018:15:33:23>>ERROR>>FindTpmKeyHandle for key ID 0x00000002 failed 05032018:15:33:23>>ERROR>>TpmDecryptWithKeyId failed to decrypt with TPM key 2 in function DecryptFieldSymKeyWithTPM. 
05032018:15:33:23>>ERROR>>For purpose 15, error decrypting /flash/config/fieldCerts/15/symKey.bin.enc to /tmp/fieldPrivKeys/symKey.bin.15 with TPMEncKEY_ID=2 failed.
05032018:15:33:23>>ERROR>>Error decrypting private key(s).
05032018:15:33:23>>ERROR>>Error decrypting field private key(s). Please check if the flash is corrupted. 
05032018:15:33:23>>ERROR>>Field Cert Initialization failed.

 

show tpm cert-info - This command is used to check the TPM certificate that is installed on the respective controller.

The following example is a output after the controller TPM is zeroized.

(host) [mynode] #show tpm cert-info
Cannot get TPM and Factory Certificate Info.
TPM and/or Factory Certificates might be missing.
Version history
Revision #:
2 of 2
Last update:
2 weeks ago
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: