Manual Chapter : Returned Material Data Security Statement

Applies To:

Show Versions Show Versions

F5OS-A

  • 1.0.1, 1.0.0
Manual Chapter

Returned Material Data Security Statement

Returned material data security

Follow these data security guidelines when returning equipment to F5 for reprocessing or repair. The guidelines include reprocessing procedures and optional customer-end procedures.

Memory technologies used in F5 equipment

F5 equipment contains volatile, battery-backed volatile, and non-volatile memory.
Volatile memory
loses all traces of data on power down.
Battery-backed volatile memory
retains data as long as battery charge is maintained.
Non-volatile memory
retains data indefinitely.

Volatile memory

Volatile memory loses all traces of data on power down; therefore, customer data that is stored in volatile memory is secure when power is removed from the platform. No further action is required by customers for equipment that includes volatile memory.

Battery-backed volatile memory

This F5 platform contains a coin battery for maintaining BIOS settings and the system clock.
All data maintained by the coin battery is used only for system specific tasks. No customer data is maintained by the battery-backed volatile memory. No further action is required by customers for equipment that includes volatile memory.

Non-volatile memory

F5 platforms include various non-volatile memory components. These non-volatile memory components can be categorized as either user inaccessible or user accessible.
Inaccessible non-volatile memory components are programmed during manufacture or software installation. The data stored in user inaccessible non-volatile memory is used for setting voltage levels, determining the sequence of operational events, and the managing appliance operational condition. Data held within user inaccessible, non-volatile memory represents no data security risk to customers. User inaccessible, non-volatile memory cannot be modified by appliance users, and therefore, contains no customer data.

Inaccessible non-volatile memory

This table lists the inaccessible non-volatile memory in this system.
Description
Data
Customer data
Programmable firmware stores
Firmware
No
System SEEPROM
Platform ID, serial number, part number, and so on.
No
PHY EEPROMs
PHY MAC address
No

Accessible non-volatile memory

This table lists the accessible non-volatile memory in this system. Not all platform variants include all of these non-volatile memory items.
Description
Data
Customer data
Data security method
Hard disk drive (HDD)
F5 product software, customer configuration, and log files
Yes
Standard reprocessing or customer removal
Solid-state drive (SSD), if present
F5 product software, customer configuration, and log files
Yes
Standard reprocessing or customer removal
Always-On Management (AOM) Flash chip (soldered-down flash chip)
AOM boot code and customer custom configuration
Yes
Standard reprocessing or customer action
FIPS software or hardware security module (HSM), if present
FIPS security domain and private keys
Yes
Standard reprocessing or customer action

Data removal from F5 rSeries systems

F5 rSeries systems use an encryption key, also called the primary key, to encrypt and decrypt highly sensitive passphrases contained in the configuration database.
Before you return a F5 rSeries system to F5 for reprocessing or repair, you should reset the encryption key to remove any sensitive data from your system.

Reset the encryption key on a F5 rSeries system before returning the system to F5

If you are still able to access the CLI of your F5 rSeries system, you should reset the encryption key (or primary key) before you return the system to F5 for reprocessing or repair.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Set the primary key with a new passphrase on the system.
    system aaa primary-key set passphrase <
    known-pass
    > confirm-passphrase <
    known-passphrase
    > salt <
    known-salt
    > confirm-salt <
    known-salt
    >
    Be sure to make note of the salt and passphrase, as these are needed to restore the configuration on a replacement system.
    A response similar to this example displays:
    Key migration is initiated. Use 'show system aaa primary-key state status' to get status
  4. Display the status of the primary key migration process on the system.
    show system aaa primary-key state status
    A summary similar to this example displays:
    system aaa primary-key state status "COMPLETE Initiated: Thu Feb 18 01:37:53 2021"
  5. Display the primary key hash on the system.
    show system aaa primary-key state hash
    A summary similar to this example displays:
    system aaa primary-key state hash YTkPNw5nxY/nqgfyNjdHZUZ WD1tfvxNY30+VAbSstzheCnE6Vy6aADftJKrVWY5W5w3UaQeRnwkT0NeFkb5Svg== syscon-2-active#
    Be sure to make note of the primary key hash, as it is needed to restore the configuration on a replacement system.
  6. Back up the system controller configuration.
    system database config-backup name <
    file-name
    >.xml
    System controller configuration backup files are located in
    configs/
    .
  7. Export the configuration backup file from the system to an HTTPS server.
    file export local-file configs/backup1.xml remote-file /tmp/<
    file-name
    >.xml remote-host <
    ip-address
    > username root
    The system requests the password for the remote root account, and a summary similar to this example displays:
    Value for 'password' (<string>): ******* result File transfer is initiated.(configs/backup1.xml)
When you receive your replacement rSeries system from F5, you can migrate the backup configuration to the new system. For more information, see
F5 rSeries Systems: Administration and Configuration
at support.f5.com/csp/knowledge-center/software/F5OS.