Information Security Asked on December 10, 2021
My company laptop recently needed a new mainboard as the old one was defective. The repair was carried out by the manufacturer, who sent a field engineer to my home.
Since the laptop uses BitLocker with keys stored in the TPM, I asked our IT support guy what I needed to do in order to be able to boot up the laptop with the new mainboard. His response was down the lines of:
Ask the field engineer if he can transfer the contents of the old TPM to the new one. That’s how I used to do it in my previous job, but now I no longer have access to the hardware to do so.
(It turned out the field engineer had no means to “clone” the TPM, so I ended up getting the recovery key from our IT support, booting with that and then setting a new PIN, which restored the key to the new TPM.)
However, the IT supporter’s response left me somewhat puzzled. As I understand it, the TPM is similar in nature to a Hardware Security Module (HSM): it can generate cryptographic keys (or have them imported) and carry out cryptographic operations with those keys without ever revealing the keys themselves. HSMs have mechanisms for backing up the keys stored in an HSM and transfer it to another, but that requires a transport key which the user sets upon initializing the HSM.
Now if anyone with the right tools were able to clone a TPM, I assume this would defeat the purpose of having a TPM in the first place. Or does TPM cloning require a transport key in a manner similar to an HSM, except that all TPMs of one manufacturer have the same transport key burned into them at the factory? In that case, who has access to manufacturer keys, and how do manufacturers protect that key from disclosure?
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP