Technical Tip: FortiPAM Log Disk and Video Disk behavior after disabling Trusted Platform Module (TPM) on Hyper-V Platform

kcheng · ‎12-01-2025

Description

This article describes the behavior of FortiPAM Log Disk and Video Disk when TPM was already enabled and configured at first, and disabling the configuration at a later stage.

Scope

FortiPAM.

Solution

It is possible to deploy FortiPAM with a Trusted Platform Module (TPM) to improve the protection of secret credentials on FortiPAM. Refer to the deployment guide to deploy FortiPAM on Hyper-V with TPM enabled: Installation on Hyper-V

The following command allows the administrator to verify if TPM is supported on the hypervisor platform:

diagnose hardware deviceinfo tpm

If the hypervisor platform has been configured to support TPM, similar output to the following can be observed:

FortiPAM-HyperV # diagnose hardware deviceinfo tpm

TPM capability information of fixed properties:
=========================================================
TPM_PT_FAMILY_INDICATOR: 2.0
TPM_PT_LEVEL: 0
TPM_PT_REVISION: 116
TPM_PT_DAY_OF_YEAR: 302
TPM_PT_YEAR: 2014
TPM_PT_MANUFACTURER: MSFT
TPM_PT_VENDOR_STRING: IoT Software TPM
TPM_PT_VENDOR_STRING_1 in HEX: 0x496f5420
TPM_PT_VENDOR_STRING_2 in HEX: 0x536f6674
TPM_PT_VENDOR_STRING_3 in HEX: 0x77617265
TPM_PT_VENDOR_STRING_4 in HEX: 0x2054504d
TPM_PT_VENDOR_TPM_TYPE: 1
TPM_PT_FIRMWARE_VERSION: 8213.275.21.18466
TPM_PT_FIRMWARE_VERSION in HEX: 0x2015011300154822

TPM_PT_MEMORY:
=========================================================
Shared RAM: 0 CLEAR
Shared NV: 1 SET
Object Copied To Ram: 1 SET

TPM_PT_PERMANENT:
=========================================================
Owner Auth Set: 0 CLEAR
Sendorsement Auth Set: 0 CLEAR
Lockout Auth Set: 0 CLEAR
Disable Clear: 0 CLEAR
In Lockout: 0 CLEAR
TPM Generated EPS: 1 SET

However, if the hypervisor platform was not enabled with the TPM feature, the following output will be observed:

FortiPAM-HyperV # diagnose hardware deviceinfo tpm

Error opening the device.
Unexpected error: 0x00000002

As mentioned in the document, it is not recommended to enable/disable (v)TPM frequently. The following scenarios explain the reason:

Scenario 1: TPM Enabled on Hyper-V, but vTPM and private data encryption are not enabled on FortiPAM.

In this scenario, the log and video disks will not be impacted after disabling TPM on the hypervisor platform. The main reason was that the feature had been enabled on the hypervisor platform, but vTPM and private data encryption were not configured on the FortiPAM. Logs will remain visible after disabling TPM on the hypervisor platform.

TPM Enabled, vTPM and encryption disabled:

FortiPAM-HyperV # diagnose hardware deviceinfo tpm

TPM capability information of fixed properties:
=========================================================
TPM_PT_FAMILY_INDICATOR: 2.0
TPM_PT_LEVEL: 0
TPM_PT_REVISION: 116
TPM_PT_DAY_OF_YEAR: 302
TPM_PT_YEAR: 2014
TPM_PT_MANUFACTURER: MSFT
TPM_PT_VENDOR_STRING: IoT Software TPM
TPM_PT_VENDOR_STRING_1 in HEX: 0x496f5420
TPM_PT_VENDOR_STRING_2 in HEX: 0x536f6674
TPM_PT_VENDOR_STRING_3 in HEX: 0x77617265
TPM_PT_VENDOR_STRING_4 in HEX: 0x2054504d
TPM_PT_VENDOR_TPM_TYPE: 1
TPM_PT_FIRMWARE_VERSION: 8213.275.21.18466
TPM_PT_FIRMWARE_VERSION in HEX: 0x2015011300154822

TPM_PT_MEMORY:
=========================================================
Shared RAM: 0 CLEAR
Shared NV: 1 SET
Object Copied To Ram: 1 SET

TPM_PT_PERMANENT:
=========================================================
Owner Auth Set: 0 CLEAR
Sendorsement Auth Set: 0 CLEAR
Lockout Auth Set: 0 CLEAR
Disable Clear: 0 CLEAR
In Lockout: 0 CLEAR
TPM Generated EPS: 1 SET

FortiPAM-HyperV # execute disk list

Disk HD1 ref: 16 30.0GiB type: HV [Msft Virtual Disk] dev: /dev/sdb
partition ref: 17 29.4GiB, 29.4GiB free mounted: Y label: LOGUSEDXC10971D0 dev: /dev/sdb1 start: 10240

Disk HD2 ref: 32 30.0GiB type: HV [Msft Virtual Disk] dev: /dev/sdc
partition ref: 33 29.4GiB, 29.4GiB free mounted: Y label: PAMVIDEOA5DA09EE dev: /dev/sdc1 start: 10240

FortiPAM-HyperV # exec disk encryption log
Log disk status:

1. Mount:
device name: /dev/sdb1
directory: /var/log
filesystem type: ext4

2. Configuration:
In configuration file, disk encryption is Disable
Disk is /dev/sdb1 and it is not in encrypted format.
[Good] Disk format matches the disk encryption setting in configuration file.

FortiPAM-HyperV # exec disk encryption video
Video disk status:

1. Mount:
device name: /dev/sdc1
directory: /var/storage/HD2-PAMVIDEOA5DA09EE
filesystem type: ext4

2. Configuration:
In configuration file, disk encryption is Disable
Disk is /dev/sdc1 and it is not in encrypted format.
[Good] Disk format matches the disk encryption setting in configuration file.

After disabling TPM on the hypervisor platform:

FortiPAM-HyperV # diagnose hardware deviceinfo tpm

Error opening the device.
Unexpected error: 0x00000002

FortiPAM-HyperV # execute disk list

Disk HD1 ref: 16 30.0GiB type: HV [Msft Virtual Disk] dev: /dev/sdb
partition ref: 17 29.4GiB, 29.4GiB free mounted: Y label: LOGUSEDXC10971D0 dev: /dev/sdb1 start: 10240

Disk HD2 ref: 32 30.0GiB type: HV [Msft Virtual Disk] dev: /dev/sdc
partition ref: 33 29.4GiB, 29.4GiB free mounted: Y label: PAMVIDEOA5DA09EE dev: /dev/sdc1 start: 10240

FortiPAM-HyperV # execute disk encryption log
Log disk status:

1. Mount:
device name: /dev/sdb1
directory: /var/log
filesystem type: ext4

2. Configuration:
In configuration file, disk encryption is Disable
Disk is /dev/sdb1 and it is not in encrypted format.
[Good] Disk format matches the disk encryption setting in configuration file.

FortiPAM-HyperV # execute disk encryption video
Video disk status:

1. Mount:
device name: /dev/sdc1
directory: /var/storage/HD2-PAMVIDEOA5DA09EE
filesystem type: ext4

2. Configuration:
In configuration file, disk encryption is Disable
Disk is /dev/sdc1 and it is not in encrypted format.
[Good] Disk format matches the disk encryption setting in configuration file.

Logs remain visible:

Scenario 2: TPM, vTPM, and encryption enabled. TPM was disabled on the hypervisor platform later on.

In this scenario, FortiPAM is configured with vTPM, private data encryption, and disk encryption as recommended in the deployment guide. If TPM is being disabled on the hypervisor platform, the feature of vTPM is no longer working in FortiPAM.

TPM, vTPM, and encryption enabled:

FortiPAM-HyperV # diagnose hardware deviceinfo tpm

TPM capability information of fixed properties:
=========================================================
TPM_PT_FAMILY_INDICATOR: 2.0
TPM_PT_LEVEL: 0
TPM_PT_REVISION: 116
TPM_PT_DAY_OF_YEAR: 302
TPM_PT_YEAR: 2014
TPM_PT_MANUFACTURER: MSFT
TPM_PT_VENDOR_STRING: IoT Software TPM
TPM_PT_VENDOR_STRING_1 in HEX: 0x496f5420
TPM_PT_VENDOR_STRING_2 in HEX: 0x536f6674
TPM_PT_VENDOR_STRING_3 in HEX: 0x77617265
TPM_PT_VENDOR_STRING_4 in HEX: 0x2054504d
TPM_PT_VENDOR_TPM_TYPE: 1
TPM_PT_FIRMWARE_VERSION: 8213.275.21.18466
TPM_PT_FIRMWARE_VERSION in HEX: 0x2015011300154822

TPM_PT_MEMORY:
=========================================================
Shared RAM: 0 CLEAR
Shared NV: 1 SET
Object Copied To Ram: 1 SET

TPM_PT_PERMANENT:
=========================================================
Owner Auth Set: 0 CLEAR
Sendorsement Auth Set: 0 CLEAR
Lockout Auth Set: 0 CLEAR
Disable Clear: 0 CLEAR
In Lockout: 0 CLEAR
TPM Generated EPS: 1 SET

FortiPAM-HyperV # execute disk list

Disk HD1 ref: 16 30.0GiB type: HV [Msft Virtual Disk] dev: /dev/sdb
partition ref: 17 29.4GiB, 29.3GiB free mounted: N label: LOGUSEDXC10971D0 dev: /dev/sdb1 start: 10240

Disk HD2 ref: 32 30.0GiB type: HV [Msft Virtual Disk] dev: /dev/sdc
partition ref: 33 29.4GiB, 29.3GiB free mounted: N label: PAMVIDEOA5DA09EE dev: /dev/sdc1 start: 10240

FortiPAM-HyperV # execute disk encryption log
Log disk status:

1. Mount:
device name: /dev/mapper/dm_log
directory: /var/log
filesystem type: ext4

2. Configuration:
In configuration file, disk encryption is Enable
Disk is /dev/sdb1 and it is in encrypted format.
[Good] Disk format matches the disk encryption setting in configuration file.

3. Open:
[Good] Disk is opened and active.

4. Disk LUKS HEADER:
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 983b4b76-f4c5-4356-b1e6-e9c9c7bf1ea6
Label: LOGUSEDXC10971D0
Subsystem: (no subsystem)
Flags: (no flags)

Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]

Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 4
Memory: 827440
Threads: 2
Salt: 93 f3 67 9b 9e 0e 62 8c ef de 96 b9 f4 e5 cc 57
64 c5 a3 9a 9f fe 25 37 09 b1 99 60 e7 ad 32 8d
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 129007
Salt: 02 b0 4b 11 e0 5b 68 5c e9 e8 ea ad 4d 48 ab be
60 2c 72 bc d1 75 1a 6e 61 ba b0 e5 f3 2d d6 9f
Digest: bc 35 ec 1

FortiPAM-HyperV # execute disk encryption video
Video disk status:

1. Mount:
device name: /dev/mapper/dm_video
directory: /var/storage/HD2-PAMVIDEOA5DA09EE
filesystem type: ext4

2. Configuration:
In configuration file, disk encryption is Enable
Disk is /dev/sdc1 and it is in encrypted format.
[Good] Disk format matches the disk encryption setting in configuration file.

3. Open:
[Good] Disk is opened and active.

4. Disk LUKS HEADER:
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 4b1c6a4e-498a-4efa-bb93-c0320cc46936
Label: PAMVIDEOA5DA09EE
Subsystem: (no subsystem)
Flags: (no flags)

Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]

Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 4
Memory: 847860
Threads: 2
Salt: 35 78 68 13 4f ef 27 f6 f8 a4 d1 e0 fb 40 ab 14
c9 9a 06 2d 2d 95 41 0b d9 05 80 57 20 01 0f 78
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 126030
Salt: 95 be 3e d8 c4 30 2d d5 71 d6 87 dc 39 47 9d 70
73 bd 1a 23 dd de b6 1f c2 64 9e 3d 24 24 c8 56
Digest: b2 a8 84 7

After disabling TPM on the hypervisor platform:

FortiPAM-HyperV # diagnose hardware deviceinfo tpm

Error opening the device.
Unexpected error: 0x00000002

FortiPAM-HyperV # execute disk list

Disk HD1 ref: 16 30.0GiB type: HV [Msft Virtual Disk] dev: /dev/sdb
partition ref: 17 30.0GiB, 30.0GiB free mounted: N label: LOGUSEDXC10971D0 dev: /dev/sdb1 start: 10240

Disk HD2 ref: 32 30.0GiB type: HV [Msft Virtual Disk] dev: /dev/sdc
partition ref: 33 30.0GiB, 30.0GiB free mounted: N label: PAMVIDEOA5DA09EE dev: /dev/sdc1 start: 10240

FortiPAM-HyperV # execute disk encryption log
Log disk status:

1. Mount:
[Error] disk is not mount! Reboot device might solve the problem.

2. Configuration:
In configuration file, disk encryption is Enable
Disk is /dev/sdb1 and it is in encrypted format.
[Good] Disk format matches the disk encryption setting in configuration file.

3. Open:
[ERROR] disk cannot be opened by using the disk encryption password in configuration file.

FortiPAM-HyperV # execute disk encryption video
Video disk status:

1. Mount:
[Error] disk is not mount! Reboot device might solve the problem.

2. Configuration:
In configuration file, disk encryption is Enable
Disk is /dev/sdc1 and it is in encrypted format.
[Good] Disk format matches the disk encryption setting in configuration file.

3. Open:
[ERROR] disk cannot be opened by using the disk encryption password in configuration file.

FortiPAM system status:

FortiPAM-HyperV # get system status | grep "Log hard disk:"
Log hard disk: Need format <----- Indicate that hard disk requires formatting.

The following error will be observed in the GUI:

Since the log disk and video disk could not be opened by FortiPAM, historical logs and recordings are also not available:

The following error message will be observed in the console, illustrating difficulty in opening the encrypted disk:

The log disk will only be reusable for logging purposes after reformatting:

FortiPAM-HyperV # execute disk format
<integer> partition/device reference number(s) come from 'exec disk list'

In the Demo-VM, the following illustrates the command:

FortiPAM-HyperV # execute disk list

Disk HD1 ref: 16 30.0GiB type: HV [Msft Virtual Disk] dev: /dev/sdb
partition ref: 17 30.0GiB, 30.0GiB free mounted: N label: LOGUSEDXC10971D0 dev: /dev/sdb1 start: 10240

Disk HD2 ref: 32 30.0GiB type: HV [Msft Virtual Disk] dev: /dev/sdc
partition ref: 33 30.0GiB, 30.0GiB free mounted: N label: PAMVIDEOA5DA09EE dev: /dev/sdc1 start: 10240

FortiPAM-HyperV # execute disk format 33
format requested for: device=/dev/sdc1 33/HD2 status=enable media-status=enable
Formatting this storage will erase all data on it
This action requires the unit to reboot.
Do you want to continue? (y/n) y

It is important to note that historical data is NOT recoverable after formatting of disks.

The following would be the best practice and key points to follow:

Design the system requirements in the early stage if TPM is required.
Avoid enabling/disabling TPM and private encryption often.
Perform a VM snapshot before disabling TPM on the hypervisor or FortiPAM platform.
Export the logs and video logs before performing any changes.

Technical Tip: FortiPAM Log Disk and Video Disk behavior after disabling Trusted Platform Module (TPM) on Hyper-V Platform

You are leaving our website