|
Infineon Security Platform Solution |
Troubleshooting
The following section describes procedures to carry out the most likely troubleshooting operations on an Infineon Security Platform:
A platform needs to be setup, but the Trusted Platform Module already has an owner.
 |
Remarks on EFS are not relevant for Windows Home editions, since EFS is not supported by them. |
A platform needs to be setup, but the Trusted Platform Module already has an owner.
In this case the existing Security Platform Owner will be used to initialize the Security Platform. This requires the knowledge of the existing Owner Password or access to the corresponding Owner Password Backup File.
This is a typical situation in a multi-system environment, where more than one operating system installations exist on a computer. The Infineon Security Platform Owner ("Storage Root Key", SRK) cannot leave the Trusted Platform Module, and cannot be introduced from outside, so an 'import' operation is not possible.
Depending on the existence of Basic User Keys, a different approach during Security Platform initialization is required.
If no Basic User Key was created on the Security Platform, a new Backup Archive (containing Emergency Recovery data) can be created. Then the Infineon Security Platform is ready for further operations.
If Basic User Keys exist and a Backup Archive (containing Emergency Recovery data) is set up, it is very important not to overwrite this archive during the Security Platform initialization.
In server mode, you need to first clear the owner if a owner already exists before connecting the system to the Trust Domain. The Security Platform will then be enrolled automatically into the Trust Domain (See Platform Enrollment).
 |
The Infineon Security Platform has been set up, but the Infineon Security Platform Owner has changed.
If the Security Platform has been set up with Emergency Recovery, your Security Platform credentials can be re-activated by utilizing the Emergency Recovery support of the Security Platform Solution.
In server mode, the Trusted Platform Module should not have a Owner before connecting the system
to the Trust Domain, i.e. it has not been initialized yet (neither by Infineon TPM Professional Package in stand-alone mode
nor by Trusted Domain Server in server mode, or by any other
software like Windows Vista Trusted Platform Module (TPM)
Management).
|
What has to be taken into consideration for Emergency Recovery using the Infineon Security Platform Initialization Wizard?
Emergency Recovery of a system may be done if your Trusted Platform Module has been replaced or reset and a backup image is available which enables you to restore your data. The Security Platform related user specific data and the Emergency Recovery data are backed up by automatic system backups.
The Infineon Security Platform Administrator must have access to the Backup Archive and to the Emergency Recovery Token that was created when the system was set up, and he must know the password protecting this token.
The Infineon Security Platform Administrator must restore the system, starting the Infineon Security Platform Backup Wizard.
If the recovery is made on a computer with a changed name, the former name of the computer or the computer's platform ID (SID) must be known. It is possible that there is recovery data of several computers in the backup archive. In this case you need to select a computer from the backup archive to be restored.
In server mode
Emergency Recovery is handled by Trusted Computing Management Server.
|
A document stored in an EFS protected folder has to be restored from a system backup. The Infineon Security Platform User does not exist on the target system. How can this situation be solved?
If the Basic User Key is no longer available and no recovery certificate (for a recovery agent) has been set up, the document is definitely lost.
Otherwise, the first step is to restore the file from the backup. This is done without touching the security relevant properties of the file. In a next step the recovery certificate must be used to enable a recovery agent to decrypt the file.
|
A commonly used application creates temporary files outside the standard temp folders. Generally, all temp folders are not EFS protected. How can the temp files of this application be secured, especially since these files remain on the hard drive when the application is closed?
This is a common problem for many applications. Depending on the application, it may be that temporary files are created outside the configured EFS folders. When this is not the common %AppData% folder in the user profile (generally named "Application Data"), it is an application-specific feature and no general statement can be made on how to handle the situation. Once the location is known (and a configuration of the folder is not supported by the application), applying the EFS security on the respective folder can be a solution. When this approach is not feasible, at least the deletion of such files upon closing the application should be guaranteed.
Further troubleshooting information for the Encrypting File System is available in the Microsoft Developer Network (MSDN).
|
When an Infineon Security Platform User first accesses an EFS folder, the password for the Basic User Key is requested. If this dialog is canceled and a recovery agent is configured, the user can still access the data in the EFS folder as long as the recovery agent's private key is available to the user. Is this an error in the system?
This behavior is correct due to the design of the recovery agent. When a recovery certificate is configured for an EFS folder, this certificate is used by the recovery agent when the folder is first accessed. Depending on whether the computer is in a domain or not, different solutions exist:
Computer is in a domain: Here the administrator cares for the certificate assignment. If no assignment to a specific Infineon Security Platform User exists, the described behavior will not occur.
Computer is running Windows 2000 and not member of a domain: A possible way is to make sure that the recovery agent's private key is not available for normal Security Platform users.
Computer is running another supported operating system and not member of a domain: In this case the recovery certificate normally does not exist, so the behavior should not occur.
|
©Infineon Technologies AG