TRUSTED PLATFORM MODULE (TPM)

The trusted platform module (TPM) found on some SNS firewalls offers hardware storage that increases the security of certificates stored on the firewall.

All recent models as of SNi20 have a TPM. See the list of the relevant firewall models on the Stormshield website at Our Stormshield Network Security firewalls.

In order to use the TPM and protect private keys in certificates, the TPM must first be initialized.

Initializing the TPM

The TPM can be initialized by an administrator who holds the TPM access (W) permission during the initial access to the Objects > Certificates and PKI module.

When the module is opened, the TPM initialization window will appear and a TPM administration password must be set. The password must comply with the password policy set on the firewall. Keep the password in a safe and protected location.

If the firewall is part of a high availability cluster, initializing the TPM on the active firewall automatically activates the initialization of the TPM on the passive firewall.

For more information on the initialization of the TPM, refer to the technical note Configuring the TPM and protecting private keys in SNS firewall certificates.

Using certificates with TPM-protected private keys in the firewall configuration

The TPM-based security mechanism applies to certificates in the following cases:

• IPsec VPN (VPN > IPsec VPN module),
• SSL VPN (VPN > SSL VPN module),
• SSL/TLS decryption for the web administration interface and captive portal (Users > Authentication module),
• Communications with the SMC server (System > Management Center module),
• Sending of logs to a syslog server (Notifications > Logs - Syslog - IPFIX module),
• Internal LDAP (Users > Directories configuration module).

For more information ranging from TPM protection of private keys in the firewall's certificates, to the configuration of such certificates in the firewall's modules, refer to the technical note Configuring the TPM and protecting private keys in SNS firewall certificates.

Explanations on usage when the TPM is initialized

These use cases take into account the initialization of the TPM:

• Manual or automatic configuration backup (System > Maintenance module),

• Restoration of a configuration backup (System > Maintenance module),

• Calculating the high availability (advanced properties) quality factor.

For more information, refer to the section Explanations on usage when the TPM is initialized, in the technical note Configuring the TPM and protecting private keys in SNS firewall certificates.