0 / 16 flipped
What is a TPM?
Trusted Platform Module β a chip soldered to the motherboard with its own CPU, memory, and storage. Generates and stores hardware-bound cryptographic keys. Used for BitLocker, measured boot, and device attestation. Keys never need to leave the chip.
What is an HSM?
Hardware Security Module β a dedicated network appliance or PCIe card for enterprise-scale key management. Tamper-resistant/responsive. Used for CA private keys and PCI-DSS payment processing. Applications send data to the HSM for operations; keys never leave the device.
What is a Key Management System (KMS)?
Centralized software (often HSM-backed) managing the full key lifecycle: generation, storage, distribution, rotation, and revocation. Applications call the KMS API β they never store raw keys. Provides audit logging, access control, and automated rotation.
What is a Secure Enclave?
A hardware-isolated coprocessor within the main chip with its own boot process, memory, and storage. Isolated from the main OS β a compromised OS cannot access enclave data. Used in Apple/Android devices to protect biometrics and device encryption keys.
What is measured boot?
A TPM feature that records cryptographic hashes of each boot component (firmware, bootloader, OS) into Platform Configuration Registers (PCRs). Keys sealed to PCR values are only released if boot measurements match β detecting boot-path malware or tampering.
How does BitLocker use the TPM?
BitLocker seals the drive encryption key inside the TPM, bound to specific PCR measurements. At boot, the TPM verifies the system state matches expectations and releases the key. Moving the drive to another machine fails β that machine has a different TPM and no record of the sealed key.
What is the difference between tamper-resistant and tamper-responsive hardware?
Tamper-resistant: physically hardened to make attacks difficult (but not impossible). Tamper-responsive: actively detects physical attack and DESTROYS keys immediately. HSMs are typically tamper-responsive β even a successful physical breach yields no key material.
What compliance standard requires HSMs for payment key protection?
PCI-DSS (Payment Card Industry Data Security Standard). Any organization processing payment cards must use HSM-backed key management for encryption keys protecting cardholder data. HSMs provide the tamper resistance and access controls required by the standard.
What is key rotation?
Periodically replacing a cryptographic key with a newly generated key. Limits exposure: if an old key is compromised, only data encrypted during its use period is at risk. A KMS automates rotation on a schedule without application downtime.
What is key wrapping?
Encrypting one key with another key for secure storage or transport. A backup of an HSM's keys is wrapped (encrypted) with a master key before export. Useless without the master key to unwrap it β allows secure key backup without exposing raw key material.
What is a root of trust?
The foundational trusted component from which all other trust is derived. The TPM is a hardware root of trust β because the chip itself is inherently trustworthy (separate hardware, not modifiable by software), the measurements it makes can be trusted. Compromise of the root of trust undermines all derived trust.
What is dual control in key management?
A policy requiring two or more authorized individuals to cooperate for sensitive operations (accessing a key backup, HSM administration). Prevents any single insider from having unilateral access to critical key material. Common in HSM administration and key custodian procedures.
What is the key difference between TPM (device scope) and HSM (enterprise scope)?
TPM: local to one device, low throughput, built-in (low cost), used for that device's encryption and attestation. HSM: network-accessible by many applications, high throughput (hundreds of ops/sec), dedicated appliance (expensive), used for enterprise-wide key management and CA operations.
What is a Self-Encrypting Drive (SED)?
A drive with an encryption processor built into the controller. Encrypts/decrypts data transparently with a key stored in the drive hardware. Can be paired with a TPM for additional security β the drive key can be sealed to TPM measurements, ensuring decryption only on the original trusted system.
What problem does a KMS solve that storing keys in config files does not?
Keys in config files are stored in plaintext or weakly encrypted, accessible to anyone with file access, require manual rotation (error-prone, risky downtime), and have no audit trail. KMS: keys never appear in files, rotation is automated and audited, access is policy-controlled, revocation is instant and centralized.
Why can't Apple decrypt a user's iPhone data even with a court order?
The device encryption key is derived from a UID fused into the Secure Enclave hardware during manufacturing β Apple does not record it. The key exists only inside that specific device's Secure Enclave. Apple physically cannot reconstruct it. Access requires unlocking the device with the correct passcode/biometric.