Secure storage and the SD card
Sensitive data includes the following:
- Credentials for accessing a WiFi network
-
- Private key files
- OS account credentials
The system is designed in a way that protects this data, while at the same time allowing you to move an SD card from a unit that suffered a hardware failure to a new unit with minimal effort.
In this scenario, the SD card inserted into the replacement unit contains the system passphrase for the original unit, which does not match the one in the replacement unit. This results in the boot sequence failing due to the passphrase mismatch (indicated by Stat LED flashing with a 50% duty cycle with a 1 second period).
If you are monitoring the debug port (see “Connecting to the JACE debug system shell” in the “Reference information” section of this guide), you will be presented with the following notification banner in the serial shell.
Figure 1. System Passphrase Mismatch warning in serial shell
Note that the warning message prompts you to login (using platform credentials) and update the system passphrase (i.e. enter the system passphrase for the original unit) via serial connection.
After logging in you will see the System Decrypt Failure Menu with the following options:
- Update system passphrase
- Remove all encrypted data
- Reboot
- Logout
Option 1, is the recommended choice but it requires that you know the system passphrase (for the original unit) that was used to encrypt the SD card. While selecting option 2 invokes the following warning which requires you to confirm that you understand the consequences of choosing that option.
Figure 2. Warning on removing encrypted data
NOTE: Pre-configuring (via serial connection) the replacement JACE-8000 unit with a system passphrase matching the one stored on the SD card (swapped out of the original unit) facilitates commissioning the replacement unit. In this situation, the commissioning process does not prompt for a passphrase since it detects a passphrase match.