Manualshelf

HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software
31323334353637383940
Enabled: yes
Ownable: yes
Owner clear: disabled
Force clear: disabled
The tpmlist status command requires TPM owner authorization; you must specify the TPM
password if one is set. See “Specifying the TPM Password” (page 32).
Specifying Secret Passphrases
Many TCS utilities use a required or optional passphrase to encrypt output. For example, the
tpmadm utility uses a passphrase, or secret, to encrypt and decrypt the TPM key archive file.
You can use one of the following methods to provide the secret value:
Specifying the secret=secret command-line option in the tpmadm command
Setting the TCS_PASS environment variable
Using the interactive command prompt
If you specify the secret as a command-line option, other users can view the value using the ps
command or other mechanisms. It is more secure to specify the secret using one of the other
methods listed in this section.
Maximum Secret Length
The maximum length for a secret passphrase is 128 characters.
Managing TPM Ownership and the TPM Password
TPM ownership is required to perform most TPM administrative tasks. Taking ownership of the
TPM requires the owner to establish a shared secret, the TPM password, with the TPM.
Knowledge of the TPM password provides proof of ownership only; the TPM password cannot
be used to reveal the private keys protected by the TPM. For more information on TPM ownership,
see the Trusted Computing Group TPM specifications at https://www.trustedcomputinggroup.org/
specs/TPM/TCPA_Main_TCG_Architecture_v1_1b.pdf.
Specifying the TPM Password
The TPM password is set automatically to a random string when ownership of the TPM is
established during TCS installation. The TPM password is stored in an obscured form in the
TPM password file, /etc/opt/tcs/passwd.
When the TPM password is required for an operation, you can use one of the following methods
to provide the password value:
Specifying the passwd=password command-line option in the tpmadm or tpmlist
command
Setting the TPM_PASSWD environment variable
Using the value in the TPM password file if it is set and you have access permission
Using the interactive command prompt
If you specify the TPM password as a command-line option for the tpmadm or tpmlist command,
other users can view the password using the ps command or other mechanisms. It is more secure
to specify the TPM password using one of the other methods listed previously.
The advantage of keeping the password in the TPM password file is that you do not have to
remember and type in the password each time you run a tpmadm or tpmlist command that
requires the TPM password. However, removing the TPM password file is more secure because
it is possible for a user with sufficient system access to reverse-engineer the password from the
password file.
32 Basic TCS Administration