mmvdisk tpm command

Manages master encryption keys (MEK), which are used to support self-encrypting drives (SED), in a trusted platform module version 2.0 (TPM 2.0) .

Synopsis

mmvdisk tpm setup [--password-file fileName]

mmvdisk tpm chpasswd [--old-password-file fileName --new-password-file fileName]

mmvdisk tpm createSlots  --number-of-slots numberOfNVSlots [--nv-slot-id slotId]  
         [--password-file fileName]

mmvdisk tpm genkey --nv-slot-id slotId [--password-file fileName]

mmvdisk tpm migratekey --nv-slot-id slotId {--source | -s} sourceNode 
      {-N Node1,Node2, …,NodeN | --node-class nodeClass}

mmvdisk tpm list {-N Node1, …,NodeN | --node-class nodeClass}

Availability

Available on IBM Storage Scale Data Management Edition or IBM Storage Scale Developer Edition.

Description

Use the mmvdisk tpm command to manage MEK on TPM2.0 for SED support.

Password files: Several sub-command options require a password file as a parameter. A password file is a text file that contains a password at the beginning. The password constraints are as follows:

Must be 1 - 31 characters in length.
Use numbers from 0 through 9.
Use capital letters A to Z.
Use small-case letters a to z.
Use special characters: !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~.

Because the password file is a security-sensitive file, it must have the following characteristics:

It must be a regular file.
It must be owned by the root user.
Only a root user must have permission to read or write it.

If the password file is provided, the password from the file is used. If the password file is not provided, you need to enter the password interactively.

NV slots IDs: Several sub-command options require an NV slot as a parameter. An NV slot is a non-volatile TPM memory used to store MEK. Each NV slot has a unique ID specified in a hexadecimal number called NV slot ID. The accepted NV slot IDs are in the range from 0x01500000 through 0x015FFFFF. You can create maximum 20 slots in a TPM.

mmvdisk tpm setup: Configures a TMP 2.0 device that is attached to a local node to use for SED support by setting admin password for the owner hierarchy of TPM 2.0. After setting the admin password, you can change the password by using the mmvdisk tpm chpasswd command.
CAUTION:
The clear function of the TPM must be disabled. If not, there is a potential risk of losing MEKs. If MEKs are lost, access to the data is permanently lost.
mmvdisk tpm chpasswd: Changes the admin password of the owner hierarchy of TPM 2.0 on the local node. Before updating the admin password, you must authenticate TPM by using the old password. The old and new passwords can be provided by password files. If the password files are not provided, you must interactively enter the passwords.
mmvdisk tpm createSlots: Creates the specified number of NV slots to store MEKs for SED support on the local node. These NV slots are created contiguously from the starting slot specified. If the starting slot ID is not specified, it chooses the specified number of contiguous slots available while creating slots.
mmvdisk tpm genkey: Generates a new FIPS-compliant AES 256-bit MEK into a user-specified NV slot on the local node, if the key from the specified NV slot is not in use.
Note: The OpenSSL 3.0 or higher is needed to create MEKs.
mmvdisk tpm migratekey: Migrates the MEK from the source node (origin) to the nodes of the node class or the nodes specified. Before you run this command, ensure that the MEK is available in the specified NV slot on the TPM of the source node and also ensure that the destination nodes have the same NV slots available. The mmvdisk tpm genkey command must be run on the source node to generate and store the MEK in the specified NV slot.
mmvdisk tpm list: Lists the NV slots that are created on the specified nodes. It only lists the NV slots that are created for storing the MEKs. It lists MEK key ID, NV slot ID, and key in-use attribute for all NV slots on the specified nodes or nodes of the node class.

Parameters

setup

Configures the TPM 2.0 by setting the admin password for the owner hierarchy of TPM 2.0.

--password-file fileName: Specifies the password file name whose content is used as the admin password for the TPM2 owner hierarchy.

chpasswd

Changes the owner hierarchy admin password of TPM.

--old-password-file fileName: Specifies the password file name whose content is used as the old admin password for the TPM2 owner hierarchy.
--new-password-file fileName: Specifies the password file name whose content is used as the new admin password for the TPM2 owner hierarchy.

createSlots

Creates the NV slots to store MEKs for SED support .

--password-file fileName: Specifies a password file name whose content is used as the password for the TPM2 owner hierarchy.
--number-of-slots numberOfNVSlots: Specifies the number of NV slots that user wants to create.
--nv-slot-id slotId: Specifies the starting NV slot ID.

genkey

Generates a new FIPS-compliant AES 256-bit MEK into a user-specified NV slot.

--nv-slot-id slotId: Specifies the NV slot ID where the generated MEK is stored.
--password-file fileName: Specifies the password file name whose content is used as an owner hierarchy password for TPM2.

migratekey

Migrates the MEK key from the source node to the destination nodes.

--nv-slot-id: Specifies the NV slot ID of the source node TPM whose MEK is copied to the same NV slot on the destination node TPMs.
--source | -s} sourceNode: Specifies the source node of the generated MEK.
-N Node1,Node2, …,NodeN: Specifies one or more destination node names.
--node-class nodeClass: Specifies the name of a node class.

list

Lists the NV slots that are created on the specified nodes.

-N Node1,Node2, …,NodeN: Specifies one or more node names.
--node-class nodeClass: Specifies a name of a node class.

Exit status

0: Successful completion.
nonzero: A failure occurred.

Security

You must have root authority to run the mmvdisk tpm command.

The node where the mmvdisk tpm migrate and mmvdisk tpm list commands are issued must be able to run remote shell commands on any other node in the cluster without using a password and without producing any extraneous messages.