Docker containers with TPM2
Note: In container operation (e.g., Docker, Kubernetes), licensing with online synchronization is required if it is operated without a TPM2 module.
Advantages of the TPM2 module
- Independence from Internet connections: Containers without TPM2 require a regular Internet connection for license verification. With TPM2, this is not necessary, which is especially true for Linux containers. Windows containers are not affected by this restriction.
- Security: The TPM is used exclusively for the secure storage of license information and is independent of the licensing procedures (online/offline).
Multiple containers A single TPM module allows multiple licensed OPC Router containers to run on a single Linux host.
Preparations for TPM deployment
- Linux host with TPM: Ensure that the Linux host has a TPM.
- Physical hosts: A TPM 2 chip must be physically present.
- Hyper-V VMs: TPM usage is enabled via VM settings.
- Wago Edge Devices: Activation takes place in the BIOS under
Bios => Advanced => Trusted Computing => Security Device Support => Enable.
Checking TPM readiness
The availability and functionality of the TPM can be checked with the command ls /dev | grep tpm in the terminal. A successful output confirms that the TPM is ready for use.
Successful if tpm is output:
!
Starting a Docker container with TPM
Specific Docker commands are required to start an OPC Router container with TPM support. It is important to assign the correct host name (--hostname), which not only serves as an identity but must also remain consistent to avoid licensing issues. The TPM module is bound to the container via --device /dev/tpmrm0:/dev/tpmrm0. Storing the key files and their path (-v /data:/data) is essential for license management and security.
Starting Docker with TPM
Example of starting an OPC Router Docker container with TPM:
docker run -d \
--hostname opc-router1 \
--device /dev/tpmrm0:/dev/tpmrm0 \
-v /data:/data \
-e "INRAY_RSA_STORAGE=TPM" \
<... as in the manual ...>
Hostname
--hostname opc-router1
Used by the container as its identity on the host. The hostname must remain the same for a container, otherwise it loses its identity. Each container should be given its own unique hostname.
Data volume
-v /data:/data
Specifies where the TPM key files are stored on the host. A separate folder is created for each --hostname. If a folder is deleted or cannot be accessed by the container, its license is also lost.
Technical explanation: The storage space of the TPM is extremely limited. Therefore, as much as possible must be outsourced to the hard disk. The files can only be read by the physical TPM that created them. This means that no further protective measures are necessary for the files.
Device mount
--device /dev/tpmrm0:/dev/tpmrm0
This allows the container to use the host's TPM resource manager.
Note:-v /dev/tpmrm0:/dev/tpmrm0 gives the impression that it might also work. However, it does not. The TPMRM must always be passed with --device.
Environment variable to activate the TMP module
-e "INRAY_RSA_STORAGE=TPM"
This forces the container to use the TPM for licensing.
Verification:
- When the container is running, both online and offline licensing are possible.
- The container should no longer require an Internet connection.
- The license should remain valid after restarting the container or host.
- The licensing overview should show Trust Level 2
(you may need to enable expert mode in the settings to see this)\