Manualshelf

HP-UX Trusted Computing Services A.01.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software
12345678910
The primary user interface to the TPM consists of the applications and commands built on the
TSPI. The primary application for accessing the TPM is the Encrypted Volume and File System
(EVFS) key storage and retrieval mechanism.
In addition to EVFS integration, the TPM is accessed by the management commands delivered
as part of the HP-UX TCS product. The management commands provide the following:
ā€¢ A mechanism for listing the status and contents of the TPM and persistent storage
ā€¢ Necessary administrative tools including backup and recovery
TPM Key Hierarchy
A TPM contains relatively little internal storage space for storing keys. Rather than store every
key in the TPM, which quickly becomes a space issue, the TPM protects a few keys in its internal
memory. The rest of the keys are derived from (and protected by) the keys in the TPM internal
memory. These additional keys are stored on disk.
Figure 1-3 TPM Key Hierarchy
System Persistent Storage
SRK
SK
EVFS Storage
Auth: Empty String
Auth: None Auth: None
Migratable
RK
Keys
tpmencrypt
tpmdecrypt
EVFS Keys
Auth: Passphase
ā€œ.dā€ keys
tpmencrypt
tpmdecrypt
The top-level key under which all other keys are protected is called the Storage Root Key (SRK).
This key is created when the TCS software is installed as part of the taking ownership operation.
The private key component of the SRK never leaves the TPM. It is used to protect the System
Specific Storage Key (SK) and the Roaming Key (RK) directly under the SRK. The SK and the
RK are the top-level keys that actually protect data. The SK is not migratable, but the RK can
migrate to another system's TPM. TCS only supports the use of the RK, and uses it as the parent
of all protection keys for EVFS, tpmencrypt, and tpmdecrypt. When you back up or restore,
the HP-UX TCS commands use a special operation to re-encrypt the RK to a different TPM's
SRK, then all of the children of the RK are copied to the other platform.
TPM Utilities
A number of utilities are delivered with HP-UX TCS to administer the TPM, provide TPM
diagnostics, and use the TPM to support the on-demand encryption of user-selected files and
directories. These utilities are as follows:
tpmadm
Administers the TPM at initial setup and for periodic maintenance. Specifically,
the tpmadm command offers subcommands for performing backup and
10 HP-UX TCS Overview