Intel Optane DC Persistent Memory - Configuration and Setup White Paper

ManualsBrandsHP ManualsDesktopsHP Z6 G4 Workstation

15TECHNICAL WHITE PAPER

using their respective BIOS passwords, without having to know any of the passphrases. The actual DCPMM

passphrases are generated by the workstation BIOS and copies are stored on the motherboard using a separate

layer of encryption, managed by the TPM. This also avoids having to reuse passphrases across multiple DCPMMs.

Enabling Transparent Unlock (recommended)

1. Set power-on password and reboot.

2. In F10 Setup go to Security > NVDIMM Transparent Unlock and check Enable NVDIMM Transparent

Unlock by selecting the setting and pressing Enter.

3. Save changes.

4. This sets up a dierent machine-created random passphrase on each DCPMM.

5. To be able to recover DCPMM data if you forget or reset your BIOS passwords, you are prompted to insert

a USB key (FAT32) to export DCPMM passphrases.

6. You are then prompted to select between “Encrypted or plain text?”

7. Encrypted: prompts for encryption password (used only for encrypting this le, it is separate from the BIOS

power-on and administrator passwords). saves to .der le (binary) using PKCS7 (Cryptographic Message

Syntax Standard), a common method to encrypt messages, including email.

8. Plain text: saves to UTF16 text le. Keep the USB key in a safe location!

9. File is saved to root folder. Name is NVDIMMPassphrases_GUID_date.txt, e.g. NvdimmPassphrases_

ACF42627-1FCF-9B8F-FA9C-1C549637D132_2019-05-08T212307Z.txt,

or NVDIMMPassphrases_GUID_date.der if encrypted.

10. Workstation power cycles.

11. BIOS asks for power-on password on reboot; when entered, this automatically unlocks all the NVDIMMs.

Viewing DCPMM passphrases

1. Enter F10 Setup.

2. Go to Security > NVDIMM Transparent Unlock > Show NVDIMM passphrases.

3. Enter BIOS password again.

4. Passphrases are displayed.

Exporting DCPMM passphrases

See above under the procedure “Enable Transparent Unlock”.

Viewing the Transparent Unlock log

The Workstation BIOS maintains a log of Transparent Unlock operations, including failures to unlock. The log

contains 32 entries and is circular. You can view the log using BCU (BiosCongUtility) in Windows and Linux.

The following is a sample log output:

NVDIMM Transparent Unlock Log Entries

[INFO] 2019-05-07 11:30 Successfully exported passphrases to plain text le.

[INFO] 2019-05-07 11:30 Transparent unlock enabled.

[ERROR MINOR] 2019-05-08 09:58 Failed exporting passphrases to le.

[INFO] 2019-05-08 09:59 Successfully exported passphrases to encrypted le.

[INFO] 2019-05-08 10:03 Transparent unlock disabled.

[INFO] 2019-05-08 10:07 Successfully exported passphrases to plain text le.

[INFO] 2019-05-08 10:07 Transparent unlock enabled.

[INFO] 2019-05-08 10:11 Transparent unlock disabled.

Disabling Transparent Unlock

1. Enter F10 Setup.

2. Go to Security > NVDIMM Transparent Unlock and uncheck Enable NVDIMM Transparent Unlock by

selecting the setting and pressing Enter.

3. Save changes.

4. Notication screen: “Transparent Unlock has been disabled”, “All NVDIMMs’ security passphrases have been

disabled.”

5. Workstation power cycles.

6. This removes passphrases from each DCPMM. It does not erase any data.

CONTENTS & NAVIGATION

Introduction

DCPMM Security

Overview

System Requirements

System Setup Overview

Appendices