Windows PFX certificate import: protect private key using virtualization-based security?

Question

On Windows 10 v1803 (i.e. April 2018 update) when importing a PFX, an option like

[ ] Protect private key using virtualization-based security (non-exportable)

appears on the import wizard. What is the underlying technology and it's mechanics from security perspective?

score 4 · Accepted Answer · answered May 25 '18 at 19:33

4

Virtualized-Based Security (VBS) uses TPM module to store keys. The key is accessible from within OS, but won't be available if OS is changed. More details on VBS: https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs

answered May 25 '18 at 19:33

Crypt32

Does VBS prevent keys to be exported in cleartext as a regular smart card could do?. – Jaime Hablutzel Feb 02 '20 at 17:46
Yes, VBS does this. – Crypt32 Feb 02 '20 at 20:33

1 Answers1