beautypg.com

Understanding tpm certificates, Taking ownership of a tpm, Warning – NEC ExpressA1160 User Manual

Page 244

background image

Understanding TPM Certificates

13-2

key that is descended from the endorsement certificate)

Sealed storage (data that is encrypted in such a way that it can be decrypted only if
the TPM releases the associated decryption key to software that can provide the
correct password)

The TPM is not used to verify another system, unless the other system also has a TPM.

13.2. Understanding TPM Certificates

Each TPM contains an endorsement key credential (EK) that is provided and installed
by Infineon (the TPM vendor). By definition, each EK and corresponding certificate is
unique. No other EK can be installed in the TPM, and no one, including the
manufacturer, ever sees the private part of the EK. Normally, an administrator performs
all operations concerning the TPM.

Normal use of a TPM for key storage involves generating or obtaining a storage key
(SK) and, optionally, a master key when you take ownership of the TPM. You can use
the SK as the master key. The master key is used to encrypt all other keys on the
system.

You are responsible for creating the SK and master key using key management
software. They must be migratable keys, and you must use appropriate migration
commands to save the keys that you generate. If you need to recover the SK or master
key, you must follow the recovery process that is specified by the key management
software.

You may need to recover and migrate the SK and the master keys if you want to use a
different cell as the boot cell for the partition, or if the management board on the boot cell
is replaced. In both cases, the TPM is different and, by definition, the EK is different. You
need to use the key management software to migrate your SK and master keys to the
new TPM.

WARNING

If you do not use key management software with recovery and you lose the
TPM, forget your password, or do any other action that can cause the keys to
be lost, you cannot recover any keys from the TPM, and your data is lost.

13.3. Taking Ownership of a TPM

Taking ownership of a TPM is a complex process. You must be physically present at the
cell to perform certain actions when requested by the software. The following steps give
a high-level summary of the process:

See also other documents in the category NEC Computers: