TRUSTED PLATFORM MODULE (TPM)

The trusted platform module (TPM) found on some SNS firewalls offers hardware storage that increases the security of some certificates stored on the firewall.

All recent models as of SNi20 have a TPM. See the list of the relevant firewall models on the Stormshield website at Our Stormshield Network Security firewalls.

In order to use the TPM and protect private keys in certificates, the TPM must first be initialized.

Initializing the TPM

The TPM can be initialized by an administrator who holds the TPM access (W) permission in the CLI console by using the command:

SYSTEM TPM INIT tpmpassword=<password> derivekey=<on|off>

  • Replace <password> with the desired TPM administration password. The password must comply with the password policy set on the firewall. Keep the TPM password in a safe and protected location,

  • Enter derivekey=on if the firewall is part of a high availability cluster.

For more information on the initialization of the TPM, refer to the technical note Configuring the TPM and protecting private keys in SNS firewall certificates.

Using certificates with TPM-protected private keys in the firewall configuration

The TPM-based security mechanism applies to certificates used for IKEv2 IPsec VPN (VPN > IPsec VPN module). In configurations that use the IKEv1 IPsec VPN tunnel manager, tunnels will no longer be set up if the private key in the certificate used is protected by the TPM.

For more information ranging from TPM protection of private keys in the firewall's certificates, to the configuration of such certificates in the firewall's modules, refer to the technical note Configuring the TPM and protecting private keys in SNS firewall certificates.

Explanations on usage when the TPM is initialized

These use cases take into account the initialization of the TPM:

For more information, refer to the section Explanations on usage when the TPM is initialized, in the technical note Configuring the TPM and protecting private keys in SNS firewall certificates.