On Aug 18, 2007, at 3:30 PM, Ali, Saqib wrote:

One of the functions provided by the TPM is to wrap/bind and store the
bulk encryption keys. Now let's us say the mother board or the TPM
goes bad on your notebook or you simply want to upgrade the computer.
You need to be able to restore+transfer the information stored in the
TPM to your new computer. This is where you need TPM management suite
that support key backup/restore and transfer.

I still don't follow. BitLocker explicitly includes a (optionally file-based) recovery password. If you want central management, why not centrally manage _that_?

Alex Alten wrote:
Agreed, for most requirements.  Sometimes one may need to keep keys
in trusted hardware only.

The reason the TPM is used to wrap the BitLocker key is not because people don't want the key to be available outside of hardware -- at least I've never heard of that requirement going hand in hand with central key backup/migrate. Instead, TPM key wrapping is used so the early-boot checks can be enforced. I don't see how a hardware-only key that you can migrate to another TPM centrally is any more secure than keeping a key in hardware but falling back on a centrally- managed spare for enabling data migration.

Ivan Krstić <[EMAIL PROTECTED]> | http://radian.org
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to