HP-UX Trusted Computing Services A.02.00 Administrator's Guide

Creating and Restoring TPM Key Backup Files
Use the tpmadm backup and tpmadm restore commands to back up and restore the Roaming
Key (RK) and its descendent keys that are stored in the system persistent storage. You can also
use these commands to migrate these keys to another system.
Backing Up TPM Keys
The tpmadm backup command creates a TPM key archive with a copy of all TPM keys under
the RK in system persistent storage. In most cases, you can use the following syntax:
tpmadm backup filename=myArchiveFile
Where myArchiveFile is the name of the TPM key archive file to create.
The tpmadm backup command requires TPM owner authorization. By default, tpmadm attempts
to read the TPM password from the encrypted /etc/opt/tcs/passwd file. For additional
methods to specify the password, see “Specifying the TPM Password” (page 32).
The tpmadm backup command also requires you to specify a secret, which tpmadm uses to
encrypt the TPM key archive file. By default, tpmadm prompts you for the secret, but you can
specify the secret using any of the methods described in “Specifying Secret Passphrases” (page 32).
Make a note of the secret; you will need it to restore the keys.
Example
# tpmadm backup filename=/tmp/backup
Please enter a secret used to encrypt backup information:
Backup in progress...
The backup operation has succeeded.
Restoring TPM Keys
The tpmadm restore command takes a TPM key archive file created with the tpmadm backup
command and restores the keys. You must specify the secret used to create the TPM key archive.
The tpmadm restore command decrypts the archive using the secret, migrates the RK from
the TPM key archive, and registers all its descendant keys onto the current host. If a RK already
exists on the current host, the restore operation prompts you with the option to delete the RK
and its descendant keys. If you delete the existing RK, a copy of the existing RK and its descendant
keys is backed up in a file under the /tmp/ directory. The file name is randomly generated and
displayed by tpmadm. For example:
# tpmadm restore filename=/tmp/backup
Please enter the secret used for the backup file:
To proceed, the current Roaming Key and its descendant keys must be deleted first.
They will be backed up at /tmp/NWDCgqke with the above secret before deletion.
Do you wish to continue? (y|n): y
Backing up existing keys at /tmp/NWDCgqke...
Restoring keys from /tmp/backup...
The restore operation has succeeded.
If an application stores does not store its TPM keys in TPM system persistent storage, you must
manually copy the key files from the original host to the backup server. You must also manually
back up any TCS keys in user persistent storage, which are stored in ~/.trousers/user.data
files in users' home directories.
Retrieving TPM Status Information
Enter the tpmlist status command to retrieve TPM status information. For example:
# tpmlist status
Owned: yes
Activated: yes
Retrieving TPM Status Information 31