Working with encrypted SD cards

Available from firmware release 2024.0 LTS with AXC F x152, RFC 4072S, BPC 9102S, SPLC 1000, or SPLC 3000

Only LIC SD cards can be encrypted in the context of PLCnext Technology:

SD FLASH 8GB PLCNEXT MEMORY LIC (item no. 1151112)
SD FLASH 32GB PLCNEXT MEMORY LIC (item no. 1151111)
SD FLASH PLCNEXT MEMORY LIC CFG (item no. 1308064)

All handling of SD cards in the supporting PLCnext Control devices is done via the WBM SD Card page. In this topic, encryption and decryption of SD cards and management of devices working with these cards is explained.

Tip: For general measurements in establishing cyber security in your industrial plant see the PLCnext Security Info Center.

SD card encryption

If the SD card in a PLCnext Control device is encrypted then the SD card is bound to that specific device to prevent data theft from that medium. This comes with the catch that for replacing either an SD card or a PLCnext Control this bond has to be transferred to the replacement under secure conditions. This is even more difficult if this replacement is due to a defect or loss.

The Encryption password is stored on the LIC SD card and the controller. It is therefore not necessary to enter it again during a reboot. After activation the LIC SD card and the controller are bound to each other.
The Recovery password is necessary to unlock a protected LIC SD card so it can also be used with another controller.

A proper password in this context consists of:

minimum 8 characters, maximum 63 characters
only a-z, A-Z, 0-9, and ASCII characters {}()[]#,;.:^?!|_'~@$%/\=+-*&

Note: Save the encryption password in a safe place. It also serves as a recovery password for the LIC SD card.

Activating the SD card encryption

Note:

During the encryption or decryption process a reset to default settings type 1 needs to be performed; the data on the SD card is deleted but the IP address setting is retained.
The following steps need to be done in exactly this order. Do not skip a step, do not do anything else in between with your device!

Make sure to have a proper LIC SD card in the slot.
In the Data protection section on the SD Card WBM page, click on Activate encryption to prepare the SD card encryption.
↪ The Set password for SD card encryption dialog opens.
Here you can assign a password or have one generated automatically:
Option 1: Enter your own password
- From the Password creation drop-down menu, select Enter.
- Prepare a password that meets the requirements.
- Enter the same password in the Encryption password and Confirm encryption password input fields.
  
  Option 2: Generate a password
- Select Generate from the Password creation drop-down menu.
  ↪ A password that meets the requirements is generated automatically.
Store a note of the password used with this SD card (identifiable by the serial number on the back side) in a safe place.
Click on Save.
↪ The encryption password is saved on the controller and the SD card encryption is scheduled for execution.
↪ In the Status section of the SD Card WBM page you can read now: Encryption request present.
Reboot the controller (e.g., via the Cockpit WBM page).
↪ The SD card is encrypted and bound to the controller.
Note: Due to the encryption, this step may take some time.
↪ The PLCnext Control is reset to default setting (type 1).
↪ The controller boots from the encrypted SD card.
Refresh the SD Card WBM page in your browser to see the changed status:

WBM page as of firmware release >= 2024.0 LTS on controllers with an optional SD card

Deactivating the SD card encryption

If the SD card's encryption is set back then the Overlay File System on this SD card is erased. No automation program data nor passwords are retained.

To deactivate the encryption, proceed as follows:

Boot the PLCnext Control device from the encrypted SD card in the slot.
Log in to the Web-based Management (WBM) and navigate to the Security menu, SD Card page.
With the encrypted LIC SD card in the slot of the device, click on Deactivate encryption.
↪ The encryption is set back.
↪ The overlay file system on the LIC SD card and all user data is erased.
Perform a reset to default setting type 1 (e.g., via the WBM Cockpit WBM page).
↪ After the reboot, the LIC SD card appears as unencrypted in the Status section of the SD card WBM page.
Download your automation programs to the unencrypted SD card for operation.
Note: Be aware of the security risks in this scenario! Ensure that only authorized personnel has access to the SD card which contains sensitive data.

Recovery password

You need a recovery password if you want to use an encrypted LIC SD card with another controller to which the LIC SD card is not bound, for example if a controller needs to be replaced. The recovery password corresponds to the encryption password with which the LIC SD card was originally encrypted.

If a LIC SD card is encrypted and therefore bound to a specific controller, an encryption password has been set. The recovery password corresponds to that encryption password. To use the encrypted LIC SD card with another controller, you have to set its recovery password in the WBM of this controller. With the set recovery password, the LIC SD card is unlocked during the next reboot of the controller.

To unlock and use the protected LIC SD card with another controller (e.g., after replacing the controller due to a defect), you have to set its recovery password in the WBM of that controller, too. Only this way the LIC SD card can be unlocked during the next reboot of that controller.

Assigning the recovery password

You can assign the recovery password in the Recovery password to unlock the protected SD card area:

Click on Set recovery password.
↪ The Set recovery password to unlock protected SD card dialog opens.
Enter the password in the Recovery password and Confirm recovery password input fields and click on Save.
↪ The password is stored in the controller.
↪ During a reboot this LIC SD card will be proven eligible for this controller.
For further reference, store this password along with an identification (e.g., serial number) of the SD card and the controller in a safe place.
Refresh the SD Card WBM page in your browser to see the changed status:

WBM page on controllers with an optional SD card

Deleting the recovery password

Note: If you delete the recovery password, the LIC SD card cannot be used with this controller anymore.

Click on Delete recovery password.
Note the system message and click OK.

↪ The password will be deleted.

Replacing an encrypted SD card or controller

SD card and controller are working

If the SD card card is still working fine but you want to use it in a different controller, then perform the SD card needs to be decrypted to remove the bond between SD card and controller:

Boot the PLCnext Control device from the encrypted SD card in the slot.
Log in to the Web-based Management (WBM) and navigate to the "Security" section, "SD Card" page.
In the Data protection table, press the Deactivate encryption button.
↪ A message box appears, telling that a reboot is necessary for executing the decryption.
↪ The Status section shows "Decryption request present".
In the WBMs Overview → Cockpit, press the reboot button.
↪ The encryption is set back.
↪ The overlay file system on the SD card and all user data is erased.
↪ A reset to default settings type 1 is performed.
Shut down the PLCnext Control device.
Eject the (formerly encrypted) SD card.
Insert the replacement SD card.
Start the PLCnext Control device
↪ The system boots from the replacement SD card.
Next, perform the encryption activation steps (see SD card encryption) with the replacement SD card.

SD card is defective or lost

If the encrypted SD card gets defective or lost and therefore the above procedure can't be performed, but the PLCnext Control only accepts that missing SD card, then this procedure is necessary to replace the SD card.

Requirements

Another empty SD card
An SD card reader connected to a computer

Procedure

Prepare an empty file exactly named plcnext_perform_factory_reset (no suffix!).
From the computer, access the SD card's file system on the system partition (partitioning see SD card partitions).
Place the prepared file into the uppermost directory in the system partition of the SD card.
Eject the SD card from the reader and insert it into the PLCnext Control device while it is shut off.
Boot the PLCnext Control.
↪ During the early init process the file triggers a reset of the overlay file system on the new SD card but accepts that new card for booting.
Note: The demand for an encrypted SD card is ignored in this boot attempt only; for further rebooting, the encrypted SD card will be necessary.
↪ The PLCnext Control device starts up from the clean overlay file system on the replacement SD card.
Immediately perform the encryption activation steps to bind this SD card to the device.
↪ The PLCnext Control boots securely from the encrypted replacement SD card.
Download your automation programs to the replacement SD card for further operation.

Controller is defective

If the PLCnext Control runs its automation project from an encrypted SD card and becomes defective, then in order to using the programs on its encrypted SD card in a different device you need to verify the operation by means of the recovery password for this specific SD card.

Requirements

An encrypted SD card bound to a PLCnext Control device that shall be replaced.
A second PLCnext Control device of the same type (!), running firmware release >=2024.0 LTS, reset to factory defaults type 1;
the recovery password for the encrypted SD card is set in the SD Card WBM page to exactly that password that was formerly set as the encryption password in the first device during the encryption procedure.
In case of an optional SD card (AXC F x152 devices), make sure the external SD card interface is set to active via the SD card WBM page after the factory reset, and the checkbox at Reactivation after factory reset is marked.

Procedure

With the defective device shut down, eject the encrypted SD card carrying the automation project.
With the replacement device shut down, insert this encrypted SD card into its slot.
Boot the replacement device from the encrypted SD card.
↪ The automation project runs from the replacement device.

Preparing replacements in advance

To be prepared for defects or loss of encrypted SD cards, it is good practice to set up some replacement SD cards in advance. The replacement SD cards should be set up with the same recovery password as those in operation. This way, the replacement can take place fast without all the steps of decryption - replacement - encryption.

But be thoughtful - don't undermine the security measurements along the way:

Use the same recovery password for the SD cards in a segment of your network, and a different one in other network segments:

Also, for reduced downtime, a replacement controller of the same type should be prepared according to the same requirements listed fo replacing a defective controller:

for each network segment at least one PLCnext Control device of the same type that is present in the plant
updated to a firmware release >=2024.0 LTS and reset to factory defaults type 1
in case of an optional SD card (AXC F x152 devices), make sure the external SD card interface is set to active and the reactivation checkbox is marked
the encryption password is set to the password for only one network segment

Note: Always store the replacement cards and devices in a safe place with access by authorized personnel only.