Question 1: A company must comply with PCI-DSS requirements for protecting payment card encryption keys. Which technology satisfies this requirement?
Question 2: A laptop with BitLocker and TPM is stolen. The attacker removes the hard drive and connects it to their own machine. What will they encounter?
Question 3: What feature allows a TPM to detect if the system's boot process has been tampered with by malware?
Question 4: What is the primary advantage of a Key Management System over applications storing encryption keys in their own configuration?
Question 5: An iPhone user's device is seized by authorities. Even with Apple's cooperation, the data cannot be decrypted. What explains this?
Matching: Hardware Security Technologies
Match each technology to its primary use case.
TECHNOLOGY
PRIMARY USE CASE
Performance Task
A healthcare organization is building a new system to protect patient records. Requirements: (1) database encryption keys must be managed centrally and rotated annually, (2) the CA that issues internal certificates must have its private key hardware-protected with tamper response, (3) employee laptops must be protected if stolen, (4) an audit log of all key access must be maintained. Map each requirement to the correct technology and justify your choices.
Requirement 1 β Database key management (centralized, annual rotation):
β KMS (Key Management System). The KMS manages the database encryption key lifecycle, automates rotation without downtime, controls which applications can access the key, and maintains a full audit log of every access. The database application calls the KMS API rather than storing the key in its configuration.
Requirement 2 β CA private key hardware-protected with tamper response:
β HSM. The CA private key should be generated inside the HSM and never exported. All certificate signing operations happen inside the HSM. The HSM detects physical attacks and destroys keys (tamper-responsive). This meets both the hardware protection and tamper response requirements. The KMS can use the HSM as its backend for the CA key specifically.
Requirement 3 β Laptop protection if stolen:
β TPM + BitLocker. The TPM seals the BitLocker drive encryption key to the specific laptop hardware and expected boot state. A stolen drive attached to another machine is unreadable. This is the standard and cost-effective solution for laptop fleet protection.
Requirement 4 β Audit log of all key access:
β KMS. A properly configured KMS logs every key access request: which application, which key, what operation, at what time. This is one of the core value propositions of a KMS over distributed key storage. The HSM also logs all CA signing operations separately.