A TPM hardware device has very limited non-volatile protected memory just sufficient to store the EK (Endorsement Key) and SRK (Storage Root Key). How does a TPM allow nearly unlimited number of symmetric keys to be safely stored on an otherwise very vulnerable HDD?
Asked
Active
Viewed 7,503 times
1 Answers
16
The Storage Root Key (SRK) is used to wrap TPM protected keys which can be stored outside the TPM. That data stored outside the TPM can be decrypted by passing it back through the TPM again for a decryption operation.
Keys wrapped by the SRK can themselves be used to wrap other keys, too. This method of wrapping can be used to create a key hierarchy of parent key and child keys. To load a child, first load its parent. Once the child is loaded, the parent key can be unloaded from the TPM to free up TPM chip resources.
shpedoikal
- 198
- 1
- 4
Jeff Ferland
- 38,090
- 9
- 93
- 171