\%ALLUSERSPROFILE%\<Application Data>\Infineon\TPM Software 2.0\BackupData\<Machine SID>\System\SHBackupSys.xml
\%ALLUSERSPROFILE%\<Application Data>\Infineon\TPM Software 2.0\BackupData\<Machine SID>\Users\<User SIDs\SHBackup.xml

User Key Files: \%AppData%\Infineon\TPM Software 2.0\UserKeyData\TSPps.xml

TPM Cryptographic Service Provider Container: \%AppData%\Infineon\TPM Software 2.0\UserKeyData\TPMcp.xml

TPM PKCS #11 Provider File: \%AppData%\Infineon\TPM Software 2.0\UserKeyData\TPMck.xml

User Configuration Files: \%AppData%\Infineon\TPM Software 2.0\UserKeyData\
IFXConfig.xml
IFXFeature.xml

Registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Infineon\TPM Software
HKEY_CURRENT_USER\Software\Infineon\TPM software

The following Personal Secure Drive registry keys have to be deleted manually, when the Personal Secure Drive security feature is uninstalled:
[HKEY_LOCAL_MACHINE\SOFTWARE\Infineon\TPM Software\PSD]
[HKEY_CURRENT_USER\SOFTWARE\Infineon\TPM Software\PSD]
 

Personal Secure Drive Directories: Additionally, the following directories have to be deleted manually:
x:\Security Platform\Personal Secure Drive\System Data
where x: is the drive where Personal Secure Drives are located. This drive is either selected during Personal Secure Drive creation and can therefore be any local hard disk or else is defined by the Personal Secure Drive local user policy.

Miscellaneous:
Registered Trusted Platform Module based certificates
Scheduled Backup Task (e.g. C:\WINDOWS\Tasks\Security Platform Backup Schedule)

After enrolling a certificate using the Internet Explorer, the certificate cannot be used. An error message is displayed.

The certificate is blocked by the Internet Explorer, although it is already stored in the user's certificate store. Close Internet Explorer and open it again to unlock the certificate.

The operating system feature for folder compression is used to store user data. How can EFS be activated for this compressed folder? Can the features be combined?

A combination is not possible, as the operating system does not allow a compressed folder to also be an EFS protected folder. First, the compression has to be revoked. Then the EFS functionality can be activated for the folder.

The certificate assigned to an EFS folder needs to be changed. Can it be done without risk for the data in this folder? Is it possible to assign an arbitrary certificate to the folder?

Generally, assigning an additional certificate to an EFS folder is no problem. The prime boundary condition is that all certificates have to be under the control by the same Cryptographic Service Provider. As long as the previously assigned certificate(s) exist, encrypted data will still be readable. Once a certificate protecting a file in an EFS folder is removed from the system, the respective files are lost.

How can an Infineon Security Platform be prepared for a successful system backup? Which files are essential for a successful restoration of an Infineon Security Platform using system mechanisms?

The core files of the Infineon Security Platform do not include the applications of the Infineon Security Platform Software. It can be re-installed after a system backup has been restored.

The Infineon Security Platform Solution Software specific data is backed up using the Infineon Security Platform Backup Wizard.
The Infineon Security Platform Backup Wizard does not backup protected data like your encrypted files or e-mail which have to be backed up utilizing other backup tools. You should include the Backup Archive of the Infineon Security Platform Backup Wizard in your routine mass data backup.

If you do not use the Infineon Security Platform Backup Wizard for the Security Platform Solution Software specific data, then please make sure to backup all the data listed in the section What information is left on a system after a successful uninstallation?.

Automatic system backups set up by the Security Platform Administrator include also Emergency Recovery data. In server mode Backup and Restoration are handled by Trusted Computing Management Server.

How to configure and handle the Backup Archive, especially with respect to policy settings?

You can configure all your enterprise Security Platforms to use a common Backup Archive by setting the policy Backup Archive Location.

In case a new Backup Archive has to be created, it is very important not to import the policies before the first Infineon Security Platform has been initialized.

After this, the policy administration has to be started and the policy has to be configured correctly by setting the location of the previously created Backup Archive. Finally the configured file will be used automatically when all other enterprise Security Platforms are initialized.

This section does not apply in server mode, since Backup and Restoration are handled by Trusted Computing Management Server.

How to create a public key archive file from a token file?

You can specify in group policy settings that the public key of an existing Emergency Recovery Token or Password Reset Token is used from an archive file (see System Policies Use public key of Emergency Recovery Token from archive and Use public key of Password Reset Token from archive). To create such an archive file from the existing token file, perform the following steps:

• Completely initialize the platform (including Emergency Recovery and Password Reset) with default policy settings on the first system (e.g. on a test system).
  Quick Initialization Wizard creates a generic token file for both Emergency Recovery and Password Reset.
  Platform Initialization Wizard creates a token file for Emergency Recovery and another one for Password Reset.
• Run the script attached below on the same system to create the required public key archive file from the corresponding token file.
• Copy the public key archive file to a suitable location and enable the policies mentioned above.

Script GeneratePubKeyArchive.vbs: 
'GeneratePubKeyArchive.vbs <Full path to Token.xml> <Full path to PubKeyArchive.xml>
'The <Full path to Token.xml> can be one of the following tokens:
' - SPPwdResetToken.xml
' - SPEmRecToken.xml
' - SPGenericToken.xml
'The <Full path to PubKeyArchive.xml> is the output, which contains the public key extracted from the input token:
' - SPPwdResetTokenPubKeyArchive.xml
' - SPEmRecTokenPubKeyArchive.xml
' - SPGenericTokenPubKeyArchive.xml
'For usage by the "Use public key of Emergency Recovery Token from archive" policy:
' - SPEmRecTokenPubKeyArchive.xml
' - SPGenericTokenPubKeyArchive.xml
'For usage by the "Use public key of Password Reset Token from archive" policy:
' - SPPwdResetTokenPubKeyArchive.xml
' - SPGenericTokenPubKeyArchive.xml
'Be sure to specify the full path e.g.:
' GeneratePubKeyArchive.vbs "c:\tmp\SPGenericToken.xml" "c:\tmp\SPGenericTokenPubKeyArchive.xml"
If WScript.Arguments.Count <> 2 Then
    WScript.Echo "Usage: " & Wscript.ScriptName & " ""<Full path to Token.xml>"" ""<Full path to PubKeyArchive.xml>"""
    WScript.Quit
End If
Set MPBase = WScript.CreateObject("IfxSpMgtPrv.MgmtProvider")
Set MPToken = MPBase.GetInterface(10)
' CreationFlags: keep existing file = 0, overwrite existing file = 1
CreationFlags = 0
ReservedFlag = 0
MPToken.CreatePublicKeyFile WScript.Arguments(0), WScript.Arguments(1), CreationFlags, ReservedFlag
'Error Handling if failing to be added here
WScript.Echo "Done"

This section does not apply in server mode, since Emergency Recovery and Password Reset are handled by Trusted Computing Management Server.

 

©Infineon Technologies AG