Skip to main content
Version: 5.3

Docker Container with TPM2

Advantages:

  • Allows multiple online or offline licensed Docker containers on the same Linux host.
  • Docker containers without TPM 2 require regular internet access, or they will stop functioning. (Windows is not affected by this.)
  • TPM is only used for storing a license and is not related to online or offline licensing.
  • Supported from OPC Router 4.27.5018.76 Hotfix 6.

Prerequisites:

  1. A Linux host with TPM

    1. A physical host with a TPM 2 chip.

    2. For Hyper-V VMs, it can be enabled through VM settings:

    3. For Wago Edge devices, it must be enabled in the BIOS:

      BIOS => Advanced => Trusted Computing => Security Device Support => Enable

    4. Verify with:

      ls /dev | grep tpm

      It's successful if tpm is listed:

Starting Docker with TPM

Example to start an OPC Router Docker container with TPM:

docker run -d \
    -p 27021:27017 \
    --name opc-router1 \
    --hostname opc-router1 \
    -v /data/db1:/data/db \
    -v /data-keys:/data/key-storage/ \
    --device /dev/tpmrm0:/dev/tpmrm0 \
    -e "INRAY_RSA_STORAGE=TPM" \
    -e "OR_I_ACCEPT_EULA=true" \
    -e "DOTNET_RUNNING_IN_CONTAINER=true" \
    opcrouter/runtime

Relevant Arguments: --hostname opc-router1

Used by the container as its identity on the host. The hostname must remain the same for a container; otherwise, it loses its identity. Each container should have a unique hostname. 

-v /data/db1:/data/db -v /data-keys:/data/key-storage/

Specifies where on the host the TPM key files are stored. A separate folder is created for each --hostname. If a folder is deleted or cannot be reached by the container, the license associated with it is also lost.

note

Technical Explanation: TPM storage space is extremely limited. Therefore, as much as possible must be offloaded to the hard drive. The files can only be read by the physical TPM that created them, so no additional file protection measures are required.

--device /dev/tpmrm0:/dev/tpmrm0

This allows the container to use the host's TPM resource manager.

warning

-v /dev/tpmrm0:/dev/tpmrm0 may appear to work, but it doesn't. The TPMRM must always be passed with --device.

-e "INRAY_RSA_STORAGE=TPM"

This forces the container to use TPM for licensing.

Verification:

When the container is running, it should be licensable both online and offline. The container should no longer require an internet connection. A container or host restart should still preserve the license. In the database, a TrustLevel of 2 should be recorded