HP-UX Trusted Computing Services A.02.00 Administrator's Guide

The Storage Root Key (SRK) is the root or top key in the TPM key hierarchy. The SRK is an

asymmetric key pair that TPM generates when the operator takes ownership of the TPM during

the initial TCS installation procedure. The private key component of the SRK is stored in TPM

internal memory and never leaves the TPM. To access data or a key encrypted by the SRK public

key, the encrypted data or key is loaded into the TPM and decrypted directly by the TPM.

The Roaming Key (RK) is an asymmetric key pair. The RK is a child of the SRK and is protected

by the SRK. The SRK protects the RK by using its public key to encrypt the RK private key.

The RK key is stored in system persistent storage as a key blob, which is an opaque data object.

The key blob includes the RK private key encrypted by the SRK public key. It also includes the

All keys below the RK in the hierarchy are also migratable. Migrating keys is useful in cluster

environments, where you might want to have the same TCS application keys or data encrypted

by TCS application keys available on multiple systems.

TCS enables administrators to migrate the RK and its descendent keys by creating TPM key

archives. This procedure is described in “Creating and Restoring TPM Key Backup Files”

(page 31).

The System Specific Storage Key (SK) is a child of the SRK and protected by the SRK. The SK is

not migratable.

TCS creates an SK but does not protect any other keys with the SK.

• TCS EVFS keys

data with the symmetric key and encrypts the symmetric key with the public key component of

RK.

By default, TCS stores the encrypted symmetric key as part of the output file that contains the

By default, TCS on-demand encryption keys require authorization. Users establish a passphrase