Embed Size (px)
Citation preview
1
Installation ManualTrusted Platform Module (TPM)
We recommend that this Installation Manual be printed.
The instructions in this manual are based on Windows 7.Those for Windows Vista and Windows XP may differ from the one for Windows 7. The differences are explained along with annotations.
2TPM’s OutlineThe conventional security measures such as file encryption and public key encryption save the encryption keys in the com-puter’s hard disk drive. Therefore the keys and passwords as well as the encrypted data are exposed to the risk of unauthor-ized copying and hacking.The TPM method saves the encryption keys in the TPM chip that is separated from the hard disk drive and CPU. To access the encryption keys, you need to input the password registered in the Security Platform ( page 8). You can apply a different security setting to each user account in the Security Platform.
Conventional encryption TPM encryption
The encryption key is saved as a file in the hard disk drive.
Document encryption
Document
Key encryption
The key remains unencrypted.
The encryption key is saved in the TPM chip.
Password input is necessary to access the key. Hacking
Document encryption
Document
Key encryption
TPM securely saved.
Hacking
3Precautions
The TPM method does not guarantee data protection under all conditions. The TPM method uses multiple encryption keys, certificates and passwords. You cannot decrypt the encrypted data if you lose them. Safely keep the keys, certificates and passwords. (See “Backup” below.)We shall not be liable for any loss or damage whatsoever resulting from your TPM use or your neglect of TPM use, or any data loss resulting from such developments as TPM malfunctioning.
The files described below are necessary for recovering the Security Platform function. Back them up periodically in a safe location such as removable disk to avoid data loss resulting from TPM malfunctioning or other accidents. We recommend you to store the files in removable disk or network drive because the benefit of TPM security can be reduced if you keep the files in the internal hard disk drive.
NOTE
In the default setting, the “System Backup Archive”, “System Backup Folder”, “Emergency Recovery Token”, “Pass-word Reset Token”, and “Personal Secret File for Password Reset” are stored in “C:\Users\(user account)\Docu-ments\Security\Platform”*1. If a removable disk is connected, the files excluding the System Backup Archive and the System Backup Folder are automatically stored in the removable disk by priority.
Files and folder used by the Computer Administrator• System Backup Archive
(Default name: SPSystemBackup.xml)System Backup Folder(Default name: SPSystemBackup)You need the file and folder when you replace the embedded TPM chip or the hard disk drive, or reinstall Windows.The file and folder contain the backup of the emergency recovery data, and the keys, certificates and settings of all users.If you make the setting of routine backup, the backup of each user setting will be automatically saved at the scheduled interval. To ensure the latest backup, manually backup every time you create or change the user setting. For further information, refer to “How to Backup and Restore”-“How to configure automatic backups (“System Backup”)” in the Infineon Security Platform Help menu. (Click (Start)*2 - [All Programs] - [Infineon Security Platform Solution] - [Help] - [Welcome to the Infineon Security Platform Solution] - [Advanced Security Platform Operation] - [Backup and Restore Security Platform Data])
*1 Windows XP: “C:\Documents and Settings\(user account)\My Documents\Security Platform”Windows Vista: “C:\Users\(user account)\Documents\Security Platform”
*2 Windows XP: [start]
Security Functions
Backup
4Precautions
• Emergency Recovery Token(Default name: SPEmRecToken.xml)You need this file when you replace the embedded TPM chip.Use the file for recovery using the emergency recovery data. (The emergency recovery data is contained in the System Backup Archive and System Backup Folder, and protected by this file.)
• Password Reset Token(Default name: SPPwdResetToken.xml)You need this file to create the Reset Authorization Code that is required to reset a specific user’s password.You cannot reset the password without this token.
File used by each User• Personal Secret File for Password Reset
(Default name: SPPwdResetSecret.xml)You use this file in combination with the Password Reset Token to reset the Basic User Password.
Do not encrypt the files described in “Backup” ( page 3). If you encrypt them, you will not be able to restore the Security Platform settings. In the default setting, these files are stored in “C:\Users”*3. Do not encrypt “C:\Users”*3.Do not encrypt the files in “C:\Program Files” because they contain a lot of application software. If you encrypt them, other users cannot access the software, and the software may not start up or other malfunction may occur.Note that encrypting other files such as “C:\” may also cause similar problems.Do not encrypt the “Security Platform” folder as well as any file/folder contained in it. This folder is created under the drive (default setting: “C:\”) which you specified while setting up the Personal Secure Drive. Because the Security Platform refers to this folder, encrypting it may disable the Personal Secure Drive.
*3 Windows XP: “C:\Documents and Settings”
Before getting the computer repaired, do the steps described under Initializing Owner’s Data. ( page 9)
Cautions for Encryption
When requesting repairs to the computer
5Installing TPM
This manual describes about Steps 1, 2 and the initial part of Step 3.For further steps, refer to ( page 8 “Step 3 Initializing the Security Platform”) and the Infineon Security Platform Help menu. (Click (Start)*1 - [All Programs] - [Infineon Security Platform Solution] - [Help].)*1 Windows XP: [start]
Performed by the Computer Administrator Performed by each user
Step 3 Step 4Step 1
Initializing the Security Plat-form
Owner’s Data• Owner Password• System Backup Archive• System Backup Folder• Password Reset Token• Password Reset Token
PasswordData for emergency use• Emergency Recovery Token• Emergency Recovery Token
Password
Initializing the userUser’s Data• Basic User Password• Personal Secret
Changing the Setup Utility Set-tings
Supervisor PasswordSetting the Embedded Secu-rity (TPM)
Step 2
Installing the Security Platform
6Installing TPM
Step 1 Changing the Setup Utility Settings
Performed by the Computer Administrator.
NOTE
<For CF-U1 series Numeric Keyboard Model>When performing the following procedure, connect the USB keyboard. Then, press the key indicated in ( ) instead of the key or key combination which is listed immediately before.
<For CF-H1 series>When performing the following procedure, set the computer to the cradle and connect the USB keyboard. Then, press the key indicated in ( ) instead of the key or key combination which is listed immediately before.
1 Register the Supervisor Password.You have to register the Supervisor Password to proceed to the next step.A Turn on or restart the computer.B Press Fn + F2 (F2) or Fn + Del (Del) while [Panasonic] boot screen is displayed soon after the computer
starts the startup procedure.The Setup Utility starts up.
C Select the [Security] menu.D Select [Set Supervisor Password] and press Enter (Enter).E Enter your password in the [Create New Password] and press Enter (Enter).
For restrictions on the password input, refer to the Reference Manual of your computer.F Enter your password again in [Confirm New Password] and press Enter (Enter).
2 <Only for CF-U1 series>Enable the Embedded Security Chip.A Select [Enable Embedded Security Chip (TPM)], and press Enter (Enter).
At the confirmation message, select [Ok] and press Enter (Enter).Once TPM is enable, this item is not displayed again.
B At the confirmation message, select [Ok] and press Enter (Enter).The computer restarts automatically.
C Press Fn + F2 (F2) or Fn + Del (Del) while [Panasonic] boot screen is displayed soon after the computer starts the startup procedure.The Setup Utility starts up.
7Installing TPM
3 Enable the Embedded Security (TPM).A Select [Embedded Security (TPM)] in the [Security] menu and press Enter (Enter).B Select [TPM State], and set to [Enable].
If the confirmation message is displayed, press Enter (Enter).C Press Fn + Esc (Esc) to close the sub-menu.D Press Fn + F10 (F10), select [Yes] and press Enter (Enter) to exit the Setup Utility.
NOTE
The default setting of [Sub-Menu Protection] is [Protected]. If you select [No Protection], a user with only a User Pass-word can enter [Embedded Security (TPM)] and change the settings including [Clear TPM Owner] ( page 9). Take special care when you change the default setting.
Step 2 Installing the Security Platform
Performed by the Computer Administrator.
1 Log on to Windows as an Administrator.
2 Close all programs.
3 <Windows 7>Click (Start) and enter [c:\util\drivers\tpm\infineon\setup.exe] in [Search Programs and files], and press Enter. <Windows Vista>Click (Start) and enter [c:\util\drivers\tpm\infineon\setup.exe] in [Start Search], and press Enter. <Windows XP>Input [c:\util\drivers\tpm\infineon\setup.exe] in [start] - [Run] and click [OK].
The message “Infineon TPM Professional Package requires that the following requirements be installed on your computer prior to installing this application. Click Install to begin installing these requirements:” may be dis-played. If this message is displayed, click [Install].The [InstallShield Wizard] screen appears.
4 Click [Next].
8Installing TPM
5 Carefully read the License Agreement. Select “I accept the terms in the license agree-ment”, and click [Next]. Installation starts. Follow the on-screen instructions.
6 When the message [InstallShield Wizard Completed] appears, click [Finish]. When readme is displayed, read carefully and close it.
7 The restart confirmation message is displayed, click [Yes] and restart the computer.
8 Log on to Windows as an Administrator.The “Security Platform Indicator Icon” appears in the notification area.
Step 3 Initializing the Security Platform
The “The Security Platform state is “Not initialized”. Click here to initialize now.” message is displayed by the “Security Plat-
form Indicator Icon” in the notification area.
1 Click on “The Security Platform state is “Not initialized”. Click here to initialize now.” message to start the “Security Platform Quick Initialization Wizard”.Alternatively double-click “Security Platform Indicator Icon” in the notification area.
2 Click [Advanced initialization (for expert users)], then click [Next].Follow the on-screen instructions.
For further information, refer to the Infineon Security Platform Help menu. (Click (Start)*2 - [All Programs] - [Infineon Security Platform Solution] - [Help] - [Welcome to the Infineon Security Platform Solution] - [The Security Platform Solution Tools] - [Security Platform Initialization Wizard].)
After completing the above procedure, initialize each user.*2 Windows XP: [start]
CAUTION
Do not forget or delete any of the passwords and files. If you lose them, administration or recovery of the Security Plat-form becomes impossible. Keep the passwords and files safe.
NOTE
Creating the Personal Secure Drive will take 1-2 minutes in the capacity of 1GB. Wait until the process is complete.
9Initializing Owner’s DataWhen you dispose the computer or transfer the ownership, initialize the owner’s data to avoid the TPM-encrypted data from being decrypted by unauthorized person.
NOTE
<For CF-U1 series Numeric Keyboard Model>When performing the following procedure, connect the USB keyboard. Then, press the key indicated in ( ) instead of the key or key combination which is listed immediately before.
<For CF-H1 series>When performing the following procedure, set the computer to the cradle and connect the USB keyboard. Then, press the key indicated in ( ) instead of the key or key combination which is listed immediately before.
1 Start the Setup Utility ( page 6).
2 Select the [Security] menu, and select [Embedded Security (TPM)] and press Enter (Enter).
When you cannot enter [Embedded Security (TPM)] using the User Password, ask the administrator for the Supervisor Password.You cannot enter [Embedded Security (TPM)] if the Supervisor Password has not been registered.
3 Select [TPM State] and set to [Disabled].
4 Select [Pending TPM operation] and set to [Clear TPM Owner].
5 Press Fn + F10 (F10), select [Yes] and press Enter (Enter) to exit the Setup Utility.The computer restarts automatically.
You will not be able to use the TPM-encrypted data after this procedure, but it will still remain on the hard disk drive. Erase this data and all internal data using the Hard Disk Data Erase Utility.For further information, refer to the Operating Instructions of this computer.
10FAQ
Yes, you can.Click (Start) - [Control Panel] - [Uninstall a program] *1and delete the [Infineon TPM Professional Package]. Before uninstalling the Security Platform, back up or decrypt the files encrypted in the Security Platform. If you do not back up or decrypt the files, you will not be able to access them after uninstallation. Note that even after uninstallation, a part of the data will remain in the computer.For further information, click (Start)*2 - [All Programs] - [Infineon Security Platform Solution] - [Help] - [Welcome to the Infineon Security Platform Solution] - [Frequently Asked Questions and Troubleshooting] - [Frequently Asked Questions (FAQ)].
The hard disk drive should be formatted in the NTFS volume. If [NTFS] is displayed in [File system], you can encrypt the files. To check the status, click (Start) - [Computer]*3, right-click [Local Disk (C:)] and click [Properties]. Only files saved in the hard disk drive formatted in the NTFS system can be encrypted.Encryption file system (EFS) may not be supported depending on the editions of Windows 7.When you delete Personal Secure Drive (PSD), if you copy and save the data and folders in the PSD as unencrypted, they will not be encrypted after deleting the PSD. Send or copy them to the folder which allows you to encrypt.
You can decrypt the folder, but the data may not be restored completely. To decrypt the folder, you must log on as the user who encrypted it. Logging on as other user may cause such troubles as hang-ups during Windows logon and irregular dis-plays of file icon.
A Log on as the user who encrypted the folder. (It may take some time to start up the computer.)If the Basic User Password is requested, enter the password.
B Click (Start) - [All Programs] - [Accessories] and right-click [Command Prompt], and click [Run as administra-tor].
C Enter [cipher /d /s:\Users] and press Enter.If the Basic User Password is requested, enter the password.
*1 Windows XP: [start] - [Control Panel] - [Add or Remove Programs]*2 Windows XP: [start]*3 Windows XP: [start] - [My Computer]
Can I Uninstall the Security Platform?
I Cannot Encrypt Files. What Should I Do?
<Windows 7/Windows Vista>The [C:\Users] Folder Was Encrypted by Mistake. Can I Decrypt It?
11FAQ
You can decrypt the folder, but the data may not be restored completely. To decrypt the folder, you must log on as the user who encrypted it. Logging on as other user may cause such troubles as hang-ups during Windows logon and irregular dis-plays on file icon.
A Log on as the user who encrypted the folder. (It may take some time to start up the computer.)If the Basic User Password is required, enter the password.
B Click [start] - [My Computer] - [Local Disk (C:)], right-click the [Documents and Settings] and click [Decrypt].C Click [Confirm Attribute Changes] - [Apply changes to this folder, subfolders and files] - [OK].
If an error message appears, click [Ignore] or [Ignore all].If the Basic User Password is requested, enter the password.
Perform “Step 1 Changing the Setup Utility Settings” ( page 6), and follow the Security Platform Help menu to restore the Security Platform settings.When you delete Personal Secure Drive (PSD), if you copy and save the data and folders in the PSD as unencrypted, they will not be encrypted after deleting the PSD. Send or copy them to the folder which allows you to encrypt.
© Panasonic Corporation 2005-2009
PCE0181AG_XP/V/7
<Windows XP>The [C:\Documents and Settings] Folder Was Encrypted by Mistake. Can I Decrypt It?
What Should I Do When I Received the Repaired Computer?
![[MS-TPMVSC]: Trusted Platform Module (TPM) Virtual Smart ...... · 5 / 37 [MS-TPMVSC] - v20180912 Trusted Platform Module (TPM) Virtual Smart Card Management Protocol Copyright ©](https://img.dokumen.tips/doc/110x75/5f280bd22fb7ee5c16201fe9/ms-tpmvsc-trusted-platform-module-tpm-virtual-smart-5-37-ms-tpmvsc.jpg)
![TPM 2.0 Mobile Reference Architecture - Trusted Computing Group · The Trusted Computing Group TPM 2.0 [1] specification defines a Trusted Platform Module (TPM). This specification](https://img.dokumen.tips/doc/110x75/6009d31143010a2a5e292d55/tpm-20-mobile-reference-architecture-trusted-computing-group-the-trusted-computing.jpg)
![[MS-TPMVSC]: Trusted Platform Module (TPM) Virtual Smart ......Release: July 14, 2016 [MS-TPMVSC]: Trusted Platform Module (TPM) Virtual Smart Card Management Protocol Intellectual](https://img.dokumen.tips/doc/110x75/602d2f6c0c3daf48d76582ac/ms-tpmvsc-trusted-platform-module-tpm-virtual-smart-release-july-14.jpg)
