Trusted Platform Module (TPM) Quick Reference Guide

Similar documents
LED Manager for Intel NUC

GUID Partition Table (GPT)

Intel Platform Administration Technology Quick Start Guide

Table of Contents. Table of Figures. 2 Wave Systems Corp. Client User Guide

Software Evaluation Guide for WinZip 15.5*

Revision: 0.30 June Intel Server Board S1200RP UEFI Development Kit Firmware Installation Guide

1. Save the Express BIOS update file to a temporary directory on the target PC. 2. Double-click the *.EXE file to run the Express BIOS update.

Revision: 0.30 June Intel Server Board S2600CP4 UEFI Development Kit Firmware Installation Guide

Computer Management* (IEA) Training Foils

Configuring Intel Compute Stick STK2MV64CC/L for Intel AMT

Software Evaluation Guide for WinZip* esources-performance-documents.html

Intel Desktop Board DZ68DB

The Intel SSD Pro 2500 Series Guide for Microsoft edrive* Activation

Software Evaluation Guide for ImTOO* YouTube* to ipod* Converter Downloading YouTube videos to your ipod

March Getting Started with the Intel Desktop Board DQ77MK UEFI Development Kit

Intel Server RAID Controller U2-1 Integration Guide For Microsoft* Windows NT* 4.0

How to Clear TPM HW on HP Personal Systems

BIOS Update Release Notes

Quick Reference This guide is written for technically qualified personnel with experience installing and configuring desktop boards.

Setting up the DR Series System on Acronis Backup & Recovery v11.5. Technical White Paper

Intel Atom Processor E3800 Product Family Development Kit Based on Intel Intelligent System Extended (ISX) Form Factor Reference Design

Intel Desktop Board DQ35MP. MLP Report. Motherboard Logo Program (MLP) 5/7/2008

Mobile Client Capability Brief for Exporting Mail in Microsoft* Office* Outlook* 2007

Intel Server Board S2600CW2S

Intel IT Director 1.7 Release Notes

BIOS Update Release Notes

Non-Volatile Memory Cache Enhancements: Turbo-Charging Client Platform Performance

Intel Cache Acceleration Software - Workstation

BIOS Update Release Notes

Software Evaluation Guide for Sony Vegas Pro 8.0b* Blu-ray Disc Image Creation Burning HD video to Blu-ray Disc

Reinstalling the Operating System on the Dell PowerVault 745N

Serial ATA Hot Swap Drive Cage Upgrade Kit for: Intel Server Chassis SC5200 Intel Server Chassis SC5250-E

BIOS Update Release Notes

Lenovo ThinkCentre M90z with Intel vpro Technology. Stefan Richards Intel Corporation Business Client Platform Division

Installation Guide and Release Notes

Intel Solid State Drive Firmware Update Tool

PS-4700/4800Series User ユーザーマニュアル Hardware Manual Manual

Software Evaluation Guide for Photodex* ProShow Gold* 3.2

BIOS Update Release Notes

Changing your Driver Options with Radeon Pro Settings. Quick Start User Guide v2.1

Authentication Manager Self Service Password Request Administrator s Guide

Sophos Central Device Encryption. Administrator Guide

Software Evaluation Guide for Microsoft* Office Excel* 2007

BIOS Update Release Notes

SonicWall Global VPN Client Getting Started Guide

Intel Entry Storage System SS4000-E

Intel Setup and Configuration Service Lite

Intel Server Board SE7505VB2 SMBIOS Update Utility User s Manual

Intel Thread Checker 3.1 for Windows* Release Notes

Software Evaluation Guide Adobe Premiere Pro CS3 SEG

Intel Entry Storage System SS4000-E

V10.16 Unified Firmware Update. Release Notes & Installation Instructions

Intel Desktop Board D915GUX Specification Update

Intel Desktop Board D915GEV Specification Update

BIOS Update Release Notes

Intel SRCS28X RAID Controller 814G Firmware Upgrade for Intel Storage System SSR316MJ+

Intel Desktop Board DX58SO. MLP Report. Motherboard Logo Program (MLP) 8/10/2009

BIOS Update Release Notes

USER MANUAL TOUGH DRIVE EXTERNAL MOBILE HARD DRIVE / 2.5" / USB 2.0. Rev. 848

Intel Desktop Board DX48BT2. MLP Report. Motherboard Logo Program (MLP) 6/17/2008

Installation Guide and Release Notes

V10.18 Unified Firmware Update. Release Notes & Installation Instructions

Intel Desktop Board D945GCLF

Expert Reference Series of White Papers. BitLocker: Is It Really Secure? COURSES.

Software Evaluation Guide for Microsoft* Office Excel* 2007

Solution Recipe: Increase Data Protection Using Intel vpro Technology

BIOS Update Release Notes

Intel Desktop Board D945GCCR

Quest Migrator for Notes to Exchange SSDM User Guide

BIOS Update Release Notes

8 MANAGING SHARED FOLDERS & DATA

BIOS Update Release Notes

BIOS Update Release Notes

Intel Desktop Board DH61HO. MLP Report. Motherboard Logo Program (MLP) 09/20/2012

KEYPAD MODEL USER MANUAL

Intel Desktop Board DH61CR

Intel Setup and Configuration Service. (Lightweight)

Dell Data Security Console. User Guide v2.0

Intel Desktop Board DG41CN

Intel Desktop Board DQ35JO

Intel Desktop Board D946GZAB

Intel Theft Deterrent Client User Guide

One Identity Manager Administration Guide for Connecting to SharePoint

Intel Desktop Board D975XBX2

Stellar Phoenix Password Recovery For Windows Server. Version 2.0. User Guide

Quest Collaboration Services 3.6. Installation Guide

Intel Transparent Computing

Image Backup and Recovery Procedures For Windows 7

Intel Server Board S5520HC

Intel Desktop Board D945GCLF2

Dell DocRetriever for SharePoint. User Guide 5.3.1

PGP NetShare Quick Start Guide version 9.6

BIOS Update Release Notes

ModeChanger

Bluetooth Lock Boxes User Guide

BIOS Update Release Notes

Intel Desktop Board DG35EC. MLP Report. Motherboard Logo Program (MLP) 6/17/2008

BIOS Update Release Notes

Intel vpro Technology Virtual Seminar 2010

BIOS Update Release Notes

Transcription:

Trusted Platform Module (TPM) Quick Reference Guide System builders/integrators should give this Guide to the system owners to assist them in enabling and activating the Trusted Platform Module. Warning of Potential Data Loss...3 Trusted Platform Module (TPM)...5 System Requirements...5 Security Precautions...5 Password Procedures... 6 Emergency Recovery File Back Up Procedures... 7 Hard Drive Image Backup Procedures... 7 Clear Text Backup (Optional)... 7 Trusted Platform Module Ownership...8 Trusted Platform Module Software Installation..8 Enabling the Trusted Platform Module...8 Assuming Trusted Platform Module Ownership..9 Recovery Procedures...10 How to Recover from a Hard Drive Failure... 10 How to Recover from a Desktop Board, coin battery or TPM Failure... 10 Clearing Trusted Platform Module Ownership...11 Support Links...12

INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. Intel products are not intended for use in medical, life saving, life sustaining applications. Intel may make changes to specifications and product descriptions at any time, without notice. Intel is a trademark of Intel Corporation in the U.S. and other countries. *Other names and brands may be claimed as the property of others. Copyright 2008 Intel Corporation 2 Trusted Platform Module (TPM) Quick Reference Guide

Warning of Potential Data Loss IMPORTANT USER INFORMATION. READ AND FOLLOW THESE INSTRUCTIONS PRIOR TO TRUSTED PLATFORM MODULE INITIALIZATION. System integrators, owners, and end users must take precautions to mitigate the chance of data loss. Data encrypted by any program utilizing the Trusted Platform Module (TPM) may become inaccessible or unrecoverable if any of the following occurs: Lost Password: Loss of any of the passwords associated with the TPM will render encrypted data inaccessible. No password recovery is available. Read the Security Precautions for Password Procedures. Removal or draining of coin battery: The coin battery is required to maintain the TPM s monotonic counters. One major function of the monotonic counters is for anti-replay protection of the internal Intel TPM data. If the battery is removed or exhausted, the Intel TPM data will be deleted in accordance to Trusted Computing Group guidelines. Read the Security Precautions for Emergency Recovery File Back Up Procedures. Hard Drive Failure: In the event of a hard disk (or other storage media) failure that contains encrypted data, an image of the hard disk (or other storage media) must be restored from backup before access to encrypted data may become available. The owner/user should backup the system hard disk on a regular basis. Read the Security Precautions below for Hard Drive Backup Procedures. Platform Failure: In the event of a platform failure and/or replacement of the desktop board, recovery procedures may allow migratable keys to be recovered and may restore access to encrypted data. All non-migratable keys and their associated data will be lost. Both the Wave Systems* EMBASSY* Security Center and Wave Systems EMBASSY Trust Suite utilize migratable keys. Please check any other software that accesses the TPM for migratability. Read the Security Precautions for Emergency Recovery File Back Up Procedures. Loss of Trusted Platform Module Ownership: Trusted Platform Module Ownership/contents may be cleared (via a BIOS switch) to allow for the transfer of a system to a new owner. If TPM ownership is cleared, either intentionally or in error, recovery procedures may allow the migratable Trusted Platform Module (TPM) Quick Reference Guide 3

keys to be recovered and may restore access to encrypted data. Read the Security Precautions for Emergency Recovery File Back Up Procedures. 4 Trusted Platform Module (TPM) Quick Reference Guide

Trusted Platform Module (TPM) The Trusted Platform Module is a component on the desktop board that is specifically designed to enhance platform security above-and-beyond the capabilities of today s software by providing a protected space for key operations and other security critical tasks. Using both hardware and software, the TPM protects encryption and signature keys at their most vulnerable stages operations when the keys are being used unencrypted in plain-text form. The TPM is specifically designed to shield unencrypted keys and platform authentication information from software-based attacks. System Requirements Intel Desktop Boards Executive or Extreme Series Microsoft Windows* XP Professional (SP2) or Microsoft Windows Vista* operating system NTFS file system Microsoft Internet Explorer 5.5 or later Adobe* Acrobat* 5.0 or later Security Precautions Security, like any other aspect of computer maintenance, requires planning. What is unique about security has to do with understanding who "friends" are and who adversaries are. The TPM provides mechanisms to enable the owner/user to protect their information from adversaries. To provide this protection, the TPM effectively puts "locks" around the data. Just like physical locks, if keys or combinations are lost, the assets (data) may be inaccessible not only to adversaries, but also to the asset owner/user. The TPM provides two classes of keys: migratable and nonmigratable. Migratable keys are designed to protect data that can be used (unencrypted) on more than one platform. One advantage is allowing the key data to be replicated (backed-up and restored) to another platform. This may be because of user convenience (someone uses more than one platform, or the data needs to be available to more than one person operating on different platforms). Another advantage to this type of key is that it can be backed-up and restored from a defective platform onto a new platform. Trusted Platform Module (TPM) Quick Reference Guide 5

However, migratable keys may not be the appropriate level of protection needed for the application when the user wants the data restricted to a single platform. This requires a nonmigratable key. Non-migratable keys carry with them a usage deficit in that while the key may be backed-up and restored (protected from hard disk failure) they are not protected against system or TPM failure. The very nature of a nonmigratable key is that they can be used on one and only one TPM. In the event of a system or TPM failure, all nonmigratable keys and the data associated with them will be inaccessible and unrecoverable. The following precautions and procedures may assist in recovering from any of the previously listed situations. Failure to implement these security precautions and procedures may result in unrecoverable data loss. Password Procedures The Wave Systems EMBASSY Security Center software allows users to configure passwords from 8 to 255 characters. A good password should consist of: At least one upper case letter (A to Z) At least one numerical character (0 to 9) At least one symbol character (!, @, &, etc.) Example Passwords: I wear a Brown hat 2 work @ least oncea-month or ujgfak&%)adf35a9m NOTE Avoid using names or dates that can be easily guessed, such as birthdays, anniversaries, family member names, or pet names. All passwords associated with the EMBASSY Security Center (owner, TPM Key Archive, and other archives) as well as the EMBASSY Trust Suite are NOT RECOVERABLE and cannot be reset without the original text. The system owner should document all passwords, store them in a secured location (a vault, safe deposit box, or off-site storage), and have them available for future use. These documents should be updated after any password changes are made. 6 Trusted Platform Module (TPM) Quick Reference Guide

Emergency Recovery File Back Up Procedures Use the EMBASSY Security Center to create the TPM Key Archive file (keyarchive.xml) onto a removable media (a floppy, CDR, or flash media). Once this is completed, the removable media should be stored in a secure location. DO NOT LEAVE ANY COPIES of the TPM Key Archive on the hard drive or within any hard drive image backups. If a copy of the TPM Key Archive remains on the system, it could be used to compromise the Trusted Platform Module and platform. This procedure should be repeated after any password changes or the addition of a new user. Hard Drive Image Backup Procedures To allow for emergency recovery from a hard drive failure, frequent images of the hard drive should be created and stored in a secure location. In the event of a hard drive failure, the latest image can be restored to a new hard drive and access to the encrypted data can be re-established. NOTE All encrypted and unencrypted data that was added after the last image was created will be lost. Clear Text Backup (Optional) It is recommended that system owners follow the Hard Drive Image Backup Procedures. This option is not recommended because the data is exposed during backup and restores. To backup select files without creating a drive image, files can be moved from secured programs or drive letters to an unencrypted directory. The unencrypted (clear text) files may then be backed up to removable media and stored in a secure location. The advantage of the clear text backup is that no TPM key is required to restore the data. Trusted Platform Module (TPM) Quick Reference Guide 7

Trusted Platform Module Ownership The Trusted Platform Module is disabled by default when shipped and the owner/end customer of the system assumes ownership of the TPM. This permits the owner of the system to control initialization of the TPM and create all the passwords associated with the TPM that will be used to protect their keys and data. System builders/integrators may install both the Wave Systems EMBASSY Security Center and the Wave Systems EMBASSY Trust Suite, but SHOULD NOT attempt to use or activate the TPM or either software package. Trusted Platform Module Software Installation The software package for the TPM can be installed from the Intel Express Installer DVD. Enabling the Trusted Platform Module The Trusted Platform Module is disabled by default when shipped to insure that the owner/end customer of the system initializes the TPM and configures all security passwords. The owner/end customer should use the following steps to enable the TPM. 1. While the PC is displaying the splash screen (or POST screen), press the <F2> key to enter BIOS. 2. Use the arrow keys to go to the Advanced Menu, select Peripheral Configuration, and then press the <Enter> key. 3. Select the Trusted Platform Module, press <Enter>, and select Enabled and press <Enter> again (display should show: Trusted Platform Module [Enable]). 4. Press the <F10> key, and press Y. 5. The system should reboot and start Microsoft Windows. 8 Trusted Platform Module (TPM) Quick Reference Guide

Assuming Trusted Platform Module Ownership Once the TPM has been enabled, ownership must be assumed by using the EMBASSY Security Center. The owner/end user should follow the steps listed below to take ownership of the TPM: 1. Start the system. 2. Launch the EMBASSY Security Center. 3. Select the Owner tab and click on the Establish button. 4. Create the Owner password (before creating any password, review the Password Recommendations made earlier in this document). 5. After successfully taking ownership of the TPM, select the User tab and click on the Initialize button. 6. Enter the Windows login password to create and synchronize the TCG Security Vault Password. 7. To create an archive of the TPM keys, select the Key Manager icon on the left side of the EMBASSY Security Center and click on the Archive button. 8. Choose a location to save the TPM Key Archive file (removable media recommended; see Emergency Recovery File Back Up Procedures for more information). 9. Create a password to protect the TPM Key Archive (this password should not match the Owner password or any other password). 10. Enter the Owner password when prompted. 11. After completing the archive function, the TPM Key Archive (keyarchive.xml) that is now on a removable media should be stored in a secure location. No copies of the keyarchive.xml should remain on the system. This procedure should be repeated after any password changes or the addition of new users or TPM enabled software. 12. All passwords associated with the EMBASSY Security Center Software (owner, TPM Key Archive, and other passwords) are not recoverable and cannot be reset without the original password. These passwords should be documented and stored in a secured location (vault, safe deposit box, or offsite storage) in case they are needed in the future. These documents should be updated after any password changes. Trusted Platform Module (TPM) Quick Reference Guide 9

Recovery Procedures How to Recover from a Hard Drive Failure Restore the latest hard drive image from backup to the new hard drive no TPM specific recovery is necessary. How to Recover from a Desktop Board, coin battery or TPM Failure This procedure may restore the migratable keys from the TPM Key Archive, but does not restore any previous keys or content to the TPM. This recovery procedure may restore access to the EMBASSY Trust Suite that is secured with migratable keys. Requirements TPM Key Archive file (keyarchive.xml file created with the EMBASSY Security Center) TPM Key Archive password (created with the EMBASSY Security Center) Owner password Working original operating system installation, or a restored image of the hard drive This recovery procedure may restore the migratable keys from the previously created TPM Key Archive. 1. Replace the desktop board with the same model as the failed board. 2. Start the original operating system or restore the original hard drive image. 3. Start the EMBASSY Security Center. 4. Take ownership of the Trusted Platform Module (see Assuming Trusted Platform Module Ownership, steps 3 and 4 only). 5. To restore a TPM Key Archive, select the Key Manager icon on the left side of the EMBASSY Security Center and click on the Restore button. 6. Enter the password for the TPM Key Archive when prompted. 7. Enter the Owner password when prompted. 8. Restoring the keys may take as long as 5 minutes and you may be prompted for your Windows password. After the keys have been successfully restored, you should be able to access previously encrypted files. 10 Trusted Platform Module (TPM) Quick Reference Guide

Clearing Trusted Platform Module Ownership WARNING Disconnect the desktop board's power supply from its AC power source before you connect or disconnect cables, or install or remove any board components. Failure to do this can result in personal injury or equipment damage. Some circuitry on the desktop board can continue to operate even though the front panel power switch is off. CAUTION DATA ENCRYPTED BY ANY PROGRAM UTILIZING THE TPM WILL BECOME INACCESSIBLE IF TPM OWNERSHIP IS CLEARED. Recovery procedures may allow the migratable keys to be recovered and might restore access to encrypted data. (Review the Recovery Procedures for detailed instructions). Follow the steps below to clear the TPM to transfer ownership of the platform to a new owner. 1. Observe the precaution in the WARNING above before opening the system case. 2. Move the BIOS configuration jumper on the board to pins 2-3. 3. Restore power to the PC and power on. 4. System should automatically enter BIOS setup. 5. Use the arrow keys to select Clear Trusted Platform Module, press <Enter>. 6. Select Yes and press <Enter>. 7. Press the <F10> key to save and exit, and press Y. 8. Power off the system. 9. Review the precaution in the WARNING above. 10. Restore the BIOS configuration jumper on the board to pins 1-2. When cleared, the TPM module is disabled by default. Trusted Platform Module (TPM) Quick Reference Guide 11

Support Links For assistance with the Wave System* EMBASSY* Trust Suite visit: http://www.wave.com/support/ets.html For additional information about TPM and enhancing PC security, visit: https://www.trustedcomputinggroup.org 12 Trusted Platform Module (TPM) Quick Reference Guide

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback