Exam CISSP topic 1 question 98 discussion

Solution is Bitlocker and storing location is TPM.. Ans: A

A TPM is a specific device to keep it's own keys secure (source of identity) While an HSM is a general device to secure foreign keys (verify identity)

The Bitlocker use Root Key for the encryption and stores Root key in TPM

While BitLocker can leverage TPM for secure key storage and encryption, it does not include a root key itself. The root key comes from the TPM, not BitLocker.

BitLocker is a full disk encryption feature built into Windows that uses a root key to encrypt the data on an endpoint. The root key is typically protected using a Trusted Platform Module (TPM) chip, which provides hardware-based security for the encryption keys, ensuring that they are not easily accessible or tampered with.

Bitlocker is the only encryption solution listed, and it does include a root key. TPM and HSM can store these keys.

Comparison: TPM: Integrated into endpoint devices. Secure storage of root keys. Used for disk encryption (e.g., BitLocker). Cost-effective for individual devices. HSM: External hardware used in server environments. Provides high-security key management for enterprise applications. More expensive and complex to implement on individual endpoints.

HSMs are nothing to do with endpoints.

OSG - A TPM is an example of a hardware security module (HSM). So, D includes B.

TPM = endpoint device

Ans is A. Its asking which one can do encrtpytion and has use key crypto. TPM and HSM only store crypto keys, it is not any encryption device. https://support.microsoft.com/en-us/topic/what-is-tpm-705f241d-025d-4470-80c5-4feeb24fa1ee

Only HSM includes a root key

Answer D) HSM https://cloud.ibm.com/docs/hs-crypto?topic=hs-crypto-understand-concepts#:~:text=A%20hardware%20security%20module%20(HSM,authentication%20and%20provides%20crypto%2Dprocessing. TPM does not handle ROOT KEYS..it handles a STORAGE ROOT KEY, but that is used as the master key for TPM access and not the same as a ROOT KEY Bitlocker does not manage any keys. https://www.linkedin.com/advice/0/what-best-practices-managing-tpm-keys-certificates#:~:text=The%20TPM%20can%20create%20and,platform%20configuration%20registers%20(PCRs).

BitLocker is a full-disk encryption feature provided by Microsoft Windows operating systems. It uses a root key, which is protected by the Trusted Platform Module (TPM) or other authentication mechanisms, to secure the encryption of data on the endpoint.

The correct answer is "B" (TPM). See https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/tpm-fundamentals "Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself." In PKI, there is no notion of a "root key". There is a "root certificate", which key is usually stored in a HSM, but this key is not called a root key. Therefore, answer "D" is incorrect. The question is "secure and efficient method of encrypting data on an endpoint", meaning Bitlocker, however, Bitlocker does not include a root key, but a TPM does.

A Hardware Security Module (HSM) is a secure physical device that provides cryptographic functions and key management. HSMs are specifically designed to secure and manage cryptographic keys, including root keys, in a tamper-resistant and highly secure environment. They offer a robust solution for encrypting data on an endpoint by safeguarding the encryption keys used in the process.

D. Hardware security module (HSM). A hardware security module (HSM) is a dedicated physical device that provides secure cryptographic operations and key management. It includes a root key, which is a master key that is used to generate and manage other keys within the HSM. The root key is securely stored within the HSM, ensuring its confidentiality and protection. While TPM provides secure storage for encryption keys, it does not specifically include a root key. The root key mentioned in the question typically refers to a master key or a key hierarchy used in key management systems like Hardware Security Modules (HSMs). HSMs are specialized devices that offer more advanced key management functionalities and are often used in high-security environments. So, while TPM is a valid solution for secure and efficient endpoint encryption, it does not explicitly include a root key as mentioned in the question.