FDEs with or without TPMs
By: ispro in WAVX DD | Recommend this post (0)
Thu, 12 Apr 07 4:21 AM
Boardmark this board | WAVX DD Longs Board Msg. 06054 of 06056
We should not forget what TPMs are for. It´s all about machine authentication, the root of trust.
Using FDEs in machines WITHOUT a TPM as a "pseudo" root of trust has several disadvantages.
1. The FDE preboot passwords are stored in a hidden partition on the HDD
2. The FDE can only generate and store 4 profiles, TPMs can store thousands of them
3. a 2.5" HDD is an easily removable device, so you can plug it into another machine with ETDM and without a TPM installed and your root of trust is GONE, IMO.
ERemoteAdministrationServer, EKeyTransferServer
(and thats my opinion, NOT knowledge)
You can remotely manage, setup and change rights, keywords of FDE machines with or without TPMs present with the ERAS. IMO, for this capability, you need not ETSpro installed on the clients. ESC and ETDM is enough for this purpose.
BUT:
You´ll want your keys backuped through a server sides tool like our KTMS, thats where you need the ETSpro installed on your client. Only ETSpro has this capability.
So IMO, to secure your drive and manage it via ERAS it´s enough to have ESC and ETDM present, but if you want to backup your keys you´ll need ETSpro with ETDM on the client side and KTM on the server side.
(Ramsey: The Tarox machines have the ETSpro, ETDM installed, unlike the ASI which have only ESC, ETDM)
BR
ISPRO
|
