Manualshelf

HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software
11121314151617181920
TPM for additional security, and the encrypted data can be decrypted only on the system with
the same TPM.
TCS on-demand encryption utilities use the TPM key infrastructure; no additional key
administration is needed.
TCS RSA Key Utility and TPM OpenSSL Engine
The TCS RSA key utility, tpmcreate, creates RSA key pairs that are bound to the local TPM;
the private RSA key is protected by the TPM.
The TPM OpenSSL engine enables an OpenSSL application to use TCS RSA key pairs in the same
way it would use RSA keys generated by OpenSSL software. You can use TCS RSA key pairs
with OpenSSL to create X.509 security certificates.
Using TCS RSA key pairs and the TPM OpenSSL engine provides the following benefits:
Hardware-based encrypted storage for RSA private keys.
Platform identity. The TPM-protected private key is associated with a unique server because
it is bound to a specific TPM. This association is extended to the X.509 certificate containing
the associated public key.
Transparent compatibility for RSA session peers, remote or local, and for Certificate
Authorities (CAs). Session peers and CAs require no modifications to use TPM-protected
X.509 certificates.
Runtime loading with minimal or no source code changes. Applications that are enabled to
use the OpenSSL engine infrastructure require no changes.
Optional 128-byte passphrase protection for private keys.
Public keys compatible with OpenSSL commands and libraries. The keys can be stored in
Secure Shell version 2 (SSHv2), Privacy Enhanced Mail (PEM), or Distinguished Encoding
Rules (DER) format.
For more information about the TPM OpenSSL engine, see “OpenSSL Engine Infrastructure and
TPM OpenSSL Engines” (page 40).
TCS RSA Key Utility
The tpmcreate utility creates RSA key pairs that are protected by the TPM. It can also wrap,
or protect, an existing RSA key pair. On systems with HP-UX Secure Shell (SSH) version
A.05.00.029, you can also use a TCS RSA key pair for SSH server key authentication.
For more information about tpmcreate, see “The tpmcreate Utility” (page 40).
TPM EVFS Library
TCS also provides the TPM EVFS library that EVFS can use to protect its keys with the TPM. The
TPM EVFS library is built on the TSPI library and provides an interface between the TSPI interface
defined by the TCG and the key protection interface defined by EVFS.
For more information about the TCS EVFS library, see Chapter 7 (page 61).
TPM Key Hierarchy
TPM uses a hierarchical key encryption scheme, where a key protects the key or keys directly
below it in the hierarchy. Figure 1-3 shows the TPM key hierarchy.
14 Trusted Computing Systems Overview