Infineon Security Platform Solution

Restore Emergency Recovery Data Step by Step

With the Emergency Recovery data you can restore the Infineon Security Platform functionality in case of failure and subsequent replacement of your Trusted Platform Module. The restoration process has two parts:

Performed by a Security Platform Administrator:

• Recreation of the basic Infineon Security Platform functionality (includes the activation of the Trusted Platform Module, initialization of the Security Platform and restoring Emergency Recovery data).

In server mode, the Trusted Platform Module has to be enabled and activated before connecting the system to the Trust Domain by the administrator. No other administrative tasks are available, since Trusted Computing Management Server handles these tasks.

Performed by all Security Platform Users:

• Restoration of Basic User Keys in order to gain access to protected data again, or
  generation of new Basic User Keys, resulting in the loss of all existing protected data.

Preconditions: Backup Archive including Emergency Recovery data: This archive is created when the Security Platform feature Backup is configured. Configuring Backup including Emergency Recovery is highly recommended in order to preserve user data in case of severe system failure. The Backup Archive must be accessible for the restoration process. It should be stored in a fail safe location like a network folder with regular backup. If  located on a local hard disk, it is recommended to include this archive in a periodical backup. The frequently asked questions cover additional tips on setting up Emergency Recovery data correctly. Emergency Recovery Token: This file protects Emergency Recovery data from unauthorized use and requires knowledge of a separate password. It is created when the Security Platform feature Backup is configured. It should be stored separately from the Backup Archive on a removable media in a secure environment. The Emergency Recovery Token must be accessible for the restoration process. In server mode Backup and Restoration is handled by Trusted Computing Management Server, except Backup and Restoration of Personal Secure Drive (PSD) image files.

Administrative Steps

Step 1 - Preparation of the Trusted Platform Module	How To:
One possible restoration reason is a failure of your Trusted Platform Module. If this happens, the new chip must be enabled in the system BIOS first. If other hardware caused the malfunction (e.g. hard disk failure), the system must be set up properly (operating system restored, user profile and protected data restored) before the Infineon Security Platform can be restored.	This operation is performed by a system administrator. A specific description on how to enable the chip is available here:
Step 2 - Security Platform Initialization and Restoration of Emergency Recovery Data	How To:
After the Trusted Platform Module has been enabled, you must initialize the Security Platform and restore the Emergency Recovery data. Both the Backup Archive and Emergency Recovery Token must be accessible to perform this step.	Only an Infineon Security Platform Administrator can restore Emergency Recovery data. Start the Infineon Security Platform Initialization Wizard and select Restore a Security Platform from a backup archive.

User Step

Recovery of Infineon Security Platform User

How To:

After the administrative operations are finalized, restoration operation for Infineon Security Platform Users can be performed. Restoration must be done for each individual Infineon Security Platform User in a separate step.

Start the Security Platform User Initialization Wizard. The wizard automatically detects the recovery state immediately after it is started. It offers the choice of creating a new Basic User Key or restoring an existing key from a Backup Archive. Usually an existing key should be recovered, because otherwise all previously encrypted data will not be accessible. Follow the on screen directions to finish the process.

©Infineon Technologies AG