TRUSTED PLATFORM MODULE (TPM)

The trusted platform module (TPM) found on some SNS firewalls offers hardware storage that increases the security of certificates stored on the SNS firewall.

If the SNS firewall is equipped with a TPM, a "TPM" indicator will appear in the Health indicators widget in the Dashboard. See the list of firewall models that are equipped with a TPM on the Stormshield website at Our Stormshield Network Security firewalls.

In order to use the TPM and protect private keys in certificates, the TPM must be initialized in advance.

Initializing the TPM

To initialize the TPM, the administrator must hold the TPM access (W) privilege. Only the admin account can assign this privilege in Configuration > System > Administrators, Administrators tab, Switch to advanced view button.

To initialize the TPM:

  1. Go to Configuration > Objects > Certificates and PKI.
  2. Click on Init. TPM.

  3. If Secure Boot has not been enabled, a warning will appear. You are advised to enable Secure Boot before initializing the TPM, but this can be done later. Do note, however, that TPM protection is incomplete as long as the Secure Boot feature is not enabled.

  4. In the Set password window, set the TPM administration password:

    • It must comply with the password policy set on the SNS firewall,
    • We recommend generating it randomly with a length of at least 64 characters.
    • It must be kept in a secure and protected location. If you misplace the TPM password, you will not be able to reinitialize it, and Stormshield is not in a position to recover the password.
  5. Select the features for which the private keys of the certificates used will be protected. Features that do not use certificates in their configuration cannot be selected. You can also leave all checkboxes unchecked and protect private keys in SNS firewall certificates later.

  6. Click on Finish.

The TPM is initialized and the mechanism that derives the symmetric key is used to generate the symmetric key, regardless of whether the SNS firewall is a member of a high availability cluster. If the SNS firewall is part of a high availability cluster, the TPM on the passive firewall will be automatically initialized.

For more information on the initialization of the TPM, refer to the technical note Configuring the TPM and protecting private keys in SNS firewall certificates.

Using certificates with TPM-protected private keys

The TPM-based security mechanism applies to certificates in the cases below: Refer to the sections in these modules for details on how to use certificates with protected private keys in the configuration of SNS firewalls.

In these modules, the icon indicates certificates with a TPM-protected private key.

For more information on protecting certificate private keys with the TPM, refer to the technical note Configuring the TPM and protecting private keys in SNS firewall certificates..

Explanations on usage with the TPM

  • There are several particularities regarding the encryption status of protected private keys that are included in the configuration backup file (Configuration > Maintenance > Backup module):
    • For manual backups, protected private keys are included decrypted as the TPM password has to be entered,
    • For automatic backups, private keys are included, but remain encrypted.
  • Backups containing encrypted private keys can only be restored on the original firewall. Encrypted private keys cannot be decrypted on another SNS firewall as the symmetric key is assumed to be different.

  • During the initial configuration of an SNS firewall via USB key, the init and p12import operations allow you to interact with the TPM.

  • The status of the TPM can be applied to the calculation of the high availability (HA) quality factor.

For more information on these use cases, refer to the section Explanations on usage when the TPM is initialized, in the technical note Configuring the TPM and protecting private keys in SNS firewall certificates.