Chapter 14 Β· Glossary

Encryption Technologies β€” Term Reference

Every term you need for hardware-based encryption technologies on the Security+ exam.

TPM (Trusted Platform Module)
A hardware chip soldered to the motherboard with its own CPU, memory, and persistent storage. Generates and stores cryptographic keys that are bound to that specific hardware. Used for BitLocker disk encryption, device attestation, and measured boot. Keys never need to leave the chip.
HSM (Hardware Security Module)
A dedicated hardware device (network appliance or PCIe card) designed for enterprise-scale cryptographic key management. Tamper-resistant or tamper-responsive β€” physically attacking it triggers key destruction. Used for CA private keys and PCI-DSS payment processing. Applications send data to the HSM for signing/encryption; the key never leaves the device.
Key Management System (KMS)
Centralized software (often HSM-backed) that manages the full lifecycle of cryptographic keys: generation, storage, distribution, rotation, and revocation. Applications call the KMS API rather than storing raw keys locally. Provides audit logging, access control, and automated key rotation.
Secure Enclave
A hardware-isolated coprocessor within a device's main processor chip with its own boot process, memory, and storage. Used in Apple devices (and similar in Android) to protect biometric data and device encryption keys. Isolated from the main OS β€” even a fully compromised operating system cannot access enclave data.
Measured Boot
A TPM feature that records cryptographic hash measurements of each boot component (firmware, bootloader, OS) into the TPM's Platform Configuration Registers (PCRs). If the boot sequence has been tampered with, the measurements change and the TPM can detect the modification and refuse to release keys.
Tamper-Resistant
Hardware designed to be physically difficult to attack β€” hardened enclosures, potting compounds that fill internal spaces, and circuitry that detects physical intrusion attempts. Slows down physical attacks but does not guarantee complete protection under a sufficiently determined attacker.
Tamper-Responsive (Tamper-Evident)
Hardware that actively detects physical attack attempts and responds by destroying the sensitive data inside. An HSM that detects a drill or voltage manipulation will immediately zero-out all stored keys. Even a successful physical breach yields no useful key material.
Key Rotation
The process of periodically replacing a cryptographic key with a newly generated key. Limits the exposure window if a key is compromised β€” only data encrypted since the last rotation is at risk. A KMS automates rotation on a schedule without application downtime.
Key Wrapping
Encrypting one key with another key for secure storage or transport. A backup of an HSM's keys might be "wrapped" (encrypted) with a master key before export. The wrapped key can be stored or transmitted β€” it is useless without the master key to unwrap it.
Root of Trust
The foundational, trusted component from which all other trust in a system is derived. The TPM is a hardware root of trust β€” because the TPM chip itself is trustworthy, the measurements it makes of the boot process can be trusted. If the root of trust is compromised, all derived trust is suspect.
Platform Configuration Register (PCR)
Registers within a TPM that store hash measurements of boot components during measured boot. Values are extended (new measurements are combined with previous values) so the full boot history is recorded. Sealing a key to specific PCR values means the key can only be released when the system boots in exactly the measured configuration.
Key Custodian
A trusted individual responsible for holding a portion of a cryptographic key or key backup. Key custodianship often implements dual control β€” multiple custodians must cooperate to reconstruct a key, preventing any single person from having unilateral access to critical key material.
Dual Control
A security policy requiring that two or more authorized individuals must cooperate to perform a sensitive operation β€” such as accessing a key backup or authorizing a cryptographic operation. Prevents insider threats by ensuring no single person has complete access to critical secrets.
PCI-DSS HSM Requirement
The Payment Card Industry Data Security Standard (PCI-DSS) requires that cryptographic keys used to protect cardholder data be stored and managed in HSMs. This is a compliance mandate β€” any organization processing payment cards must use HSM-backed key management for their payment encryption keys.
Self-Encrypting Drive (SED)
A hard drive or SSD with an encryption processor built into the drive controller. Encrypts and decrypts data transparently with a key stored inside the drive hardware. Can be used with a TPM for additional security β€” the drive key can be sealed to TPM measurements, ensuring decryption only occurs on the original trusted system.
Key Escrow (Hardware)
Storing a backup of key material in a secure hardware vault (typically an HSM) for authorized recovery. Unlike software-based key escrow, hardware key escrow keeps the backup encrypted and protected by the HSM's tamper resistance. Required for organizational key recovery when an employee leaves or a system fails.