HP-UX Trusted Computing Services A.01.00 Administrator's Guide
Administering the TPM Password
The TPM password cannot generally be used to reveal the private keys protected by the TPM,
it only controls some of the TPM management operations. The TPM password is set automatically
during the taking ownership phase of the HP-UX TCS installation process, and is stored in an
obscured form in the /etc/opt/tcs/passwd file.
After installation, you can keep the automatically generated TPM password, or you can reset
the password to something you can easily remember using the tpmadm changepwd command.
Alternatively, you can delete the password entry or the password file entirely.
The advantage of keeping the TPM password in the password file is that you do not have to
remember and type in the password each time you run a command that requires TPM owner
authorization. However, because the password could potentially be reverse-engineered from
the password file by a user with sufficient system access, a more secure option is to remove the
password file.
The tpmadm and tpmlist commands attempt to read the password from the password file,
provided the user running the commands has sufficient privilege to access the password file.
If a password is specified as a command-line option when the tpmadm or tpmlist command
is entered, the password might be visible to other users on the system; for example, from the ps
command. As an alternative to the command-line option, for better security you can supply the
TPM password in one of the following ways:
• Using the TPM_PASSWD environment variable.
• Using the TPM password in the /etc/opt/tcs/passwd file if you have access permission.
• Using the interactive command prompt.
Changing the TPM Password
You can change the TPM password using the tpmadm changepwd key=tpm command. This
command also updates the /etc/opt/tcs/passwd file, if the TPM password entry is present
in the file. If the password entry or the password file itself is deleted, and you want to restore
the password entry or the password file, you can do so by setting a new TPM password using
the tpmadm changepwd key=tpm storeentry command. The storeentry option
regenerates the /etc/opt/tcs/passwd file (if it is not already present) and restores the TPM
password entry (if it has been previously deleted). For example:
# tpmadm changepwd key=tpm storeentry
Please enter TPM password:
Please enter the new TPM password (8 char max):
Confirm password:
Password change successful.
If you forget the TPM password and delete the /etc/opt/tcs/passwd file, follow these steps:
1. Clear the TPM ownership using the EFI Shell. See “Clearing TPM Ownership” (page 19).
2. Retake the TPM ownership using the tpmadm takeownership command to generate a
new TPM password in the /etc/opt/tcs/passwd file.
3. Create a Root Key using the tpmadm changepwd key=tpm command.
Both the tpmadm changepwd key=tpm command and the tpmadm takeownership command
require that you have enough privilege to write to the /etc/opt/tcs/passwd file. On most
systems, this means you must log in as root.
Retrieving TPM Status Information
The tpmlist command retrieves TPM status information as illustrated in the following example:
# tpmlist status
Owned: yes
Activated: yes
Enabled: yes
24 Basic HP-UX TCS Administration