A Trusted Platform Module (TPM) chip is a secure crypto processor that provides hardware based, security related functions. Introduced in 2009, more than 2 billion of these chips have been embedded into a wide range of devices such as PCs, ATMs and most recently, in Opengear console servers.[1]
These specialized TPM chips can be used with any major operating system. They are placed into end point devices and store critical data such as passwords, certificates and encryption keys. The encryption keys are specific to each host system for hardware authentication[2] :
- Endorsement Key (EK): Each chip contains an RSA key pair. This special purpose TPM resident RSA key is maintained inside the chip and is never visible, it can’t be accessed by software
- Storage Root Key: This is created when a user or administrator takes ownership of the system
- Attestation Identity Key (AIK): This second key protects against unauthorized modifications by hashing firmware and software before they’re executed. Once a device arrives onsite, the system tries to connect to the network. Each hash is sent to a server to verify that each line up with expected values. If any component doesn’t, that tells engineers that something has been modified and ensures that the deployed system won’t be able to get access to the network
As travel restrictions remain in place and uncertainty grows due to the pandemic, enterprises must have the capabilities to securely deploy to a new location. Most times an organization will ship the devices and send a tech on site. In transit, boxes can be tampered with and even stolen. When something like that occurs, if there’s no TPM chip embedded, a lot of sensitive information is at risk. The NetOps Console Server solves that challenge.
The NetOps Console Server
The new Opengear NetOps Console Servers includes a TPM 2.0 chip, which consists of an encryption engine with secure memory. TPM technology has been common in laptops and server systems for a few years, but Opengear is one of the first vendors to include and use its capabilities in a network appliance.
For organizations deploying equipment to a new site, they aren’t always able to have technicians on site. The NetOps Console Server is a secure device, that can be sent to a new location, to manage Day One deployments with an embedded TPM 2.0 chip. This protects configuration files and prevents tampering.
When the device lands at the new site, it uses a 4G LTE secure connection to call home and enables the deployment process to be managed through our centralized management software. Up to date configuration and image files are pulled in while standard Docker containers and Python runtime environment allow automation procedures to run directly on the device.
TPM utilized in the NetOps Console server provides:
- Secure Boot: The firmware is signed and the signature is validated by the TPM chip when the unit is powered on. The TPM will stop the boot process if the firmware image has been tampered with. This prevents the introduction of malicious code that could compromise the security of the device
- Secure Configuration: The contents of config partition is encrypted and keys stored in secure memory , all corporate information like, passwords, VPN keys, network addresses and topology info, is protected. If a bad actor steals or gain undue physical access to a unit, they cannot retrieve any critical information. That is relevant for companies shipping pre-configured units to remote locations where shipping carriers, co-location employees, rack-and-stack contractors and other untrusted personnel have temporary custody of the equipment
Learn more about how the NetOps Console Servers with embedded TPM 2.0 chips will ensure simple and secure Day One Deployments for your organization.
[1] https://www.laptopmag.com/articles/tpm-chip-faq
[2] https://trustedcomputinggroup.org/resource/trusted-platform-module-tpm-summary/