Migrating Keys to other Systems

Infineon Security Platform

Infineon Security Platform Solution

Migrating Keys to other Systems

Once a system user is set up as an Infineon Security Platform User, there may arise the requirement to provide the user-specific security environment not only on the computer where the setup happened, but also on other computers the user has access to. Multiple setups on different computers will not help, as the security elements will not be compatible - e.g., an e-mail signed on one computer will not be accepted on the other due to different signing keys.

Migration Basics

The Infineon Security Platform offers the possibility to maintain and administrate this situation by offering a migration path for the user-specific secret. The basic idea of this technology is the strict separation of the administrative and operational role of migration. This separation is required to guarantee the personality of the migrated secrets, ensuring at the same time that no means exist to transfer the secrets without knowledge of an administrative instance.

After the successful migration of a user the target computer hosts the very same security environment that is also available on the source computer. From the point of view of the Infineon Security Platform User, no difference exists in the operational behavior of the systems.

Nevertheless, the two computers are still independent Infineon Security Platforms. The migration of user keys does not have any impact on the primary security structure of the Infineon Security Platform. Most importantly the secrets stored in the Trusted Platform Module are not touched by this operation.

In server mode, migration of user-specific credentials and settings is handled by Trusted Computing Management Server. At logon, users get necessary updates whenever their credentials and settings have changed. This is also called roaming. The update from the server database overwrites local user-specific credentials and settings.
In stand-alone mode user-specific credentials and settings on the migration source and destination computer are merged.

The migration operation is performed using the Infineon Security Platform Migration Wizard.

Migration to a computer without existing user keys and certificates:
The migration process will install new user keys and certificates on the machine you are migrating to.
You will need to configure Security Platform Features for use with these new keys and certificates.
Migration to a computer with existing user keys and certificates (different Basic User Key):
The migration process will invalidate your existing Security Platform keys and certificates installed on the machine you are migrating to. Your encrypted data may be lost as a result of this operation. Please decrypt your encrypted data before proceeding with migration or contact your system administrator for data recovery procedure.
Migration to a computer with existing user keys and certificates (same Basic User Key):
If the destination computer already uses the same Basic User Key as the source computer, then the migration process will merge your user keys and certificates. After migration, the keys and certificates from the migration archive will be active. Old keys and certificates will be kept. This way you will not lose any encrypted data.
For example, if you have encrypted your data with EFS or PSD on both the migration source computer and destination computer, but you have used different certificates on both computers, then migration will activate the certificate from the source computer on the destination computer. The certificate the destination computer had used before will be kept and can be reactivated anytime.
Migration and Personal Secure Drive:
  • If a user had configured Personal Secure Drives on the source computer on a removable media (e.g. USB flash drive), this media can also be used on the destination computer.
  • If a user had configured Personal Secure Drives on the source computer on a fixed hard drive, it is important to backup all Personal Secure Drive image files to be migrated, and to store the backup image files of the source computer in a location that can be accessed by both computers. To use a copy of a source Personal Secure Drive on the destination computer, the concerned backup image file of the source computer must be restored. Note that after the migration you will have two independent Personal Secure Drives on source and destination computer. Users may need to reconfigure Personal Secure Drives on the destination computer (see Managing your Personal Secure Drives). To reconfigure a Personal Secure Drive, select I want to change my Personal Secure Drive settings and follow the on-screen directions.
  • Note that existing PSD settings and credentials on the destination computer will be overwritten, if the Basic User Keys on source and destination computer differ. In this case, you are recommended to save an unencrypted copy of your PSD data before migration. You can do this by deleting the PSD with the option to save an unencrypted copy (see Managing your Personal Secure Drives).


©Infineon Technologies AG