HP ProtectTools security software 2011 - Technical white paper
A. HP ProtectTools and security modules are available as standard security features on all business
notebooks. On business desktops, some modules are available at additional cost. For details on
ProtectTools availability on business desktops, please refer to the Platform Support section of this
white paper.
Q. Can smart cards be used for pre-boot authentication?
A. Smart cards are not supported in BIOS pre-boot; however, FVE supports specific ActivIdentity
smart cards. Please refer to the user documentation that came with your computer for steps to
configure the system for smart card pre-boot authentication.
Q. How can I tell if my PC contains a TPM embedded security chip?
A. If the PC contains a TPM embedded security chip, it will be listed in the Windows Device
Manager, under the category System Devices. On business notebooks, the TPM embedded
security chip will be listed as Infineon Trusted Platform Module.
Q. If a TPM encrypted file is copied moved to a second system which does not have the key to
decrypt the file, what would happen to the file. Would it remain on the second system as an
unreadable file or would it be automatically deleted? Would the user of the second system be able to
delete the file even if he does not have the decryption keys? Is there a solution to automatically delete
such files?
A. This depends on the application being used to move data from one system to the other. If the
application reads the data, repackages it and sends to another platform (say you email an
encrypted file on your system), then the data/file is typically read/accessed by your email
program, thereby unencrypting it. The email program may encrypt the data across the internet if
that option is selected, but the TPM is no longer protecting the data. This is true of any data on
your system encrypted by MSFT EFS (Microsoft's Encrypting File System where TPM can be used to
protect the file/folder encryption keys) and also for files encrypted within PSD (ProtectTools
Personal Secure Drive). It is possible for a file to remain encrypted no matter where it resides, but
typically in those types of applications the file name is changed. For instance, hello.doc becomes
hello.doc.enc to show that the file is encrypted and a separate program must process the file
before it's readable.
Q. Regarding the TPM chip itself, does it store any user specific information? If so, how can I clear it?
A. There is no user data in the TPM, however if required, the TPM can be cleared via F10 BIOS to
return to factory default/cleared state.
Q. What is the Credential Manager module for HP ProtectTools?
A. Please refer to the Credential Manager for HP ProtectTools section of the white paper.
Q. How does Credential Manager differ from other single sign-on solutions?
A. Most technologies and features provided by HP ProtectTools Security Manager are individually
available. The value of HP ProtectTools is that it brings these technologies together in a single,
easy to use security solution. As an HP ProtectTools core component, the features provided by
Credential Manager are integrated into HP ProtectTools and work with the user authentication
features of HP ProtectTools.
Q. Does Credential Manager for HP ProtectTools use the embedded security chip if available?
A. Yes, Credential Manager uses the embedded security chip, if available, to encrypt passwords
stored in the password vault.
Q. Does Credential Manager for HP ProtectTools support multiple users on a single client device?
A. Yes, Credential Manager works on the concept of identity. To log on to a computer, a user
simply needs to create a Credential Manager ID.