Chapter 3. working with client security solution, Using the trusted platform module – Lenovo ThinkVantage (Client Security Solution 8.21) User Manual
Page 23

Chapter 3. Working with Client Security Solution
Before you install Client Security Solution, you should understand the customization available for Client
Security Solution. This chapter provides customization information about Client Security Solution, as well as
information regarding the Trusted Platform Module. The terms used in this chapter referencing the Trusted
Platform Module are defined by the Trusted Computing Group (TCG). For more information about the Trusted
Platform Module refer to the following Web site:
Using the Trusted Platform Module
The Trusted Platform Module is an embedded security chip designed to provide security-related functions
for the software utilizing it. The embedded security chip is installed on the motherboard of a system and
communicates through a hardware bus. Systems that incorporate a Trusted Platform Module can create
cryptographic keys and encrypt them so that they can only be decrypted by the same Trusted Platform
Module. This process is often called wrapping a key, and helps protect the key from disclosure. On a system
with a Trusted Platform Module, the master wrapping key, called the Storage Root Key (SRK), is stored within
the Trusted Platform Module itself, so the private portion of the key is never exposed. The embedded security
chip can also store other storage keys, signing keys, passwords, and other small units of data. Because of
the limited storage capacity in the Trusted Platform Module, the SRK is used to encrypt other keys for off-chip
storage. The SRK never leaves the embedded security chip, and forms the basis for protected storage.
Using the embedded security chip is optional and requires a Client Security Solution administrator. Whether
for individual user or a corporate IT department, the Trusted Platform Module must be initialized. Subsequent
operations, such as the ability to recover from a hard drive failure or replaced system board, are also
restricted to the Client Security Solution administrator.
Note: If you are changing the authentication mode and attempt to unlock the security chip, you must log
out and then log back in as the master administrator. This will enable you to unlock the chip. You can also
log on as a secondary user and continue to convert the authentication mode. This is done automatically
when the secondary user logs on. Client Security Solution will prompt for the secondary user password
or passphrase. Once Client Security Solution is done processing the change, the secondary user can
proceed with unlocking the chip.
Using the Trusted Platform Module with Windows Vista
If the Windows Vista logon is enabled and the Trusted Platform Module is disabled, you must disable the
Windows logon feature before disabling the Trusted Platform Module in F1 BIOS. Doing this will prevent
a security message that states: Security chip has been deactivated, the logon process cannot be
protected.
In addition, if you are upgrading the operating system of a client system, you must clear the security chip to
avoid enrollment failure of Client Security. To clear the chip in F1 BIOS, the system must be started from a
cold boot. You will not be able to clear the chip if you attempt this process after a warm reboot.
Managing Client Security Solution with cryptographic keys
Client Security Solution is described by the two main deployment activities; Take Ownership and Enroll
User. While running the Client Security Solution Setup Wizard for the first time, the Take Ownership and
Enroll User processes are both performed during the initialization. The particular Windows user ID that
completed the Client Security Solution Setup Wizard is the Client Security Solution Administrator and is
© Copyright Lenovo 2008, 2012
17
