On SPARC M7-8 and SPARC M7-16 servers, the Trusted Platform Module (TPM) can encrypt an optional on-disk keystore. The TPM-secured keystore can be decrypted only with the unique keys for that TPM. If the TPM changes through platform migration or hardware replacement, the keystore cannot be decrypted or accessed. Use the Oracle Solaris tpmadm(1M) migrate subcommand to back up the TPM-secured keystore for possible restoration at a later time. Example applications that might use the TPM-secured keystore include the Apache web server and the SSH secure shell.
The TPM chips reside on the SPs. One SP acts as the Active SP, and the other SP acts as the Standby SP. If a failure occurs on the Active SP, the system fails over to the Standby SP. If this failover occurs, the TPM on the Standby SP cannot decrypt the TPM-secured keystore until you restore the keystore.
By default, the TPM is not used unless you specifically enable and configure it on SPARC M7-8 and SPARC M7-16 servers. In Oracle Solaris 11.3, after you boot the server for the first time, you must set the tpmadm failover command to specify that TPM data and keys are automatically backed up to the Standby SP. You can use the backed-up TPM data and keys for a system migration or hardware replacement. Do not use the TPM-secured keystore unless you back up the keystore. For more information, refer to SPARC: How to Initialize TPM Using the Oracle ILOM Interface in the Oracle ILOM documentation.