HP-UX Trusted Computing Services A.01.00 Administrator's Guide
Ownable: yes
Owner clear: disabled
Force clear: disabled
Backing Up and Restoring Keys
Use the tpmadm backup and tpmadm restore commands to back up and restore keys stored
in the system persistent storage file /etc/opt/tcs/system.data.
The backup operation creates a backup copy of all TPM keys under the RK in system persistent
storage and prepares the RK for migration as follows:
# tpmadm backup filename=/tmp/backup
Please enter a secret used to encrypt backup information:
Backup in progress...
The backup operation has succeeded.
HP recommends that the backup file be saved on a backup server.
The restore operation is the reverse of the backup operation. Given a file that contains the
backed-up key data and the secret used during the backup, tpmadm restore decrypts the file
using the same secret, migrates the RK from the backup file, and registers all its descendant keys
onto the current host. If a RK already exists on the current host, the restore operation prompts
you with the option to delete the RK and its descendant keys. If you delete the existing RK, a
copy of the existing RK and its descendant keys is backed up in a file under the /tmp/ directory,
with a random name that is displayed, for example:
# tpmadm restore filename=/tmp/backup
Please enter the secret used for the backup file:
To proceed, the current Roaming Key and its descendant keys must be deleted first.
They will be backed up at /tmp/NWDCgqke with the above secret before deletion.
Do you wish to continue? (y|n): y
Backing up existing keys at /tmp/NWDCgqke...
Restoring keys from /tmp/backup...
The restore operation has succeeded.
If an application stores its TPM keys outside of /etc/opt/tcs/system.data, you must
manually copy the key file from the original host to a backup server. Also, the backup operation
does not back up any keys in user persistent storage. These are user.data files under a user’s
home directory; for example, home/joe/.trousers/user.data. These user.data files also
must be manually backed up.
Restoring or Migrating the TPM
There are cases where HP-UX TCS must be restored on, or migrated to, a system where ownership
of the TPM has not been taken. These cases include, but are not limited to the following:
• The TPM was replaced because of a hardware failure.
• The TPM was explicitly cleared through EFI.
• Serviceguard is being configured on the system.
• HP-UX TCS is migrating to a new system.
The prerequisite for TPM restoration or migration is the backup file generated by the tpmadm
backup command. For more information, see “Backing Up and Restoring Keys” (page 25). This
file contains the necessary information to restore HP-UX TCS persistent storage. To restore or
migrate the TPM, follow these steps:
1. If HP-UX TCS software is already installed, enter swconfig -x
mount_all_filesystems=false tcs to take TPM ownership.
2. If HP-UX TCS software is not installed, install HP-UX TCS software. See “Installing the
HP-UX TCS Software” (page 17).
3. Enter tpmlist status to ensure ownership is taken.
Basic TPM Administration 25