Operation

Certificates with private keys that can be protected by the TPM

See which certificates are concerned and which SNS versions are compatible in the chapter Requirements.

TPM administration password

When the TPM is initialized on the SNS firewall, a TPM administration password must be set. This password is required in order to perform certain operations on the TPM, such as removing protection from the private key of a certificate or disabling the TPM.

In this technical note, the TPM administration password is referred to as "TPM password".

IMPORTANT
Keep the TPM password in a safe and protected location. Do note that Stormshield will not be able to help you recover this password if you forget it.

Protecting private keys in firewall certificates with symmetric keys

When the private key of a certificate is protected by the TPM, the key will be encrypted with a symmetric key. Only the symmetric key will enable the encryption and decryption of the certificate's private key.

The symmetric key is set during the initialization of the TPM and stored on the TPM. Access to this key is strictly protected, notably through a feature that reliably measures the status of the system, known as PCRs (platform configuration registers).

When a private key needs to be decrypted, the firewall has to retrieve the TPM’s symmetric key. This operation can only be completed if the PCRs confirm that the status of the firewall is reliable.

If PCRs change, for example after an SNS version update that involves changes to the startup sequence of the product, the firewall can no longer retrieve the symmetric key, and protected private keys can no longer be decrypted. Only the TPM password can be used to update the access policy and recover these keys (this scenario is described in Troubleshooting).

Symmetric key derivation mechanism on firewall clusters

Firewalls have their own TPMs in high availability (HA) clusters. Two symmetric keys are therefore generated:

  • A first symmetric key stored on the active firewall's TPM,
  • A second symmetric key stored on the passive firewall's TPM.

A symmetric key derivation mechanism (known as derivekey) makes it possible to set the same symmetric key on both firewalls in the cluster. As such, when the firewall switches from passive to active, TPM-protected private keys in certificates can always be decrypted because the symmetric keys are the same.