HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software

the data with tpmdecrypt. Users can also specify a tpmencrypt option so that no authorization

information is required to decrypt the data.

TCS RSA Key Pairs

A TCS RSA key pair is an asymmetric RSA key pair, protected by the TPM; the private key is

encrypted by the RK, so it can be utilized only within the TPM. TCS RSA key pairs are generated

using the tpmcreate utility. You can also use tpmcreate to encrypt or wrap an existing RSA

private key with the RK.

TCS RSA key pairs are stored in user-specified file locations, external to TCS storage.

By default, TCS RSA key pairs do not require authorization, but users can specify an option to

establish a passphrase that protects the keys when creating them or when wrapping an existing

RSA private key.

TCS EVFS Keys

You can use TCS to protect the private key component of an EVFS user key pair (an EVFS private

key). TCS generates an asymmetric key pair (TCS EVFS keys) and uses the public key component

to encrypt the EVFS private key. The TCS private key is protected by the RK.

The EVFS private key is stored in the EVFS key storage database, which is configured and

managed by EVFS. The TCS EVFS key pair generated to protect the EVFS private key is stored

in TCS system persistent storage.

TCS EVFS keys require authorization. The passphrase that EVFS normally uses to encrypt the

private key component of an EVFS user key is instead used by TCS to authorize access to the

private key.

Chain of Protection

The private key component of TCS application keys are encrypted by the RK public key. There

is a chain of protection (Figure 1-4) from the SRK private key stored on the TPM to a TCS

application key as follows:

• The TPM contains and protects the SRK. The SRK can be used only by accessing the TPM.

• The SRK protects the RK. The RK private key can be decrypted only by the SRK private key.

• The RK protects the TCS application key. The TCS application private key can be decrypted

only by the RK private key.

Figure 1-4 TCS Chain of Protection

TPM with System

Root Key (SRK)

Roaming Key (RK) TCS Application Key Encrypted

Data

TPM contains and

protects the SRK

SRK protects

the RK

RK protects the

TCS application key

TCS application

key protects

the data

Data

Because of this chain of trust, a TCS application key and data protected by the TCS application

key can be used only on the system with the same TPM used to create the TCS application key.

(An exception to this is a TCS application key that has been migrated to a target system. When

keys are migrated, the RK used to protect the TCS application keys has been re-encrypted with

the SRK on the target system and the migrated keys can be used on the target system.)

Chain of Protection 17