Exam CISSP topic 1 question 98 discussion

A TPM is a specific device to keep it's own keys secure (source of identity) While an HSM is a general device to secure foreign keys (verify identity)

Bitlocker is the only encryption solution listed, and it does include a root key. TPM and HSM can store these keys.

Comparison: TPM: Integrated into endpoint devices. Secure storage of root keys. Used for disk encryption (e.g., BitLocker). Cost-effective for individual devices. HSM: External hardware used in server environments. Provides high-security key management for enterprise applications. More expensive and complex to implement on individual endpoints.

HSMs are nothing to do with endpoints.

OSG - A TPM is an example of a hardware security module (HSM). So, D includes B.

TPM = endpoint device

Ans is A. Its asking which one can do encrtpytion and has use key crypto. TPM and HSM only store crypto keys, it is not any encryption device. https://support.microsoft.com/en-us/topic/what-is-tpm-705f241d-025d-4470-80c5-4feeb24fa1ee

Only HSM includes a root key

Answer D) HSM https://cloud.ibm.com/docs/hs-crypto?topic=hs-crypto-understand-concepts#:~:text=A%20hardware%20security%20module%20(HSM,authentication%20and%20provides%20crypto%2Dprocessing. TPM does not handle ROOT KEYS..it handles a STORAGE ROOT KEY, but that is used as the master key for TPM access and not the same as a ROOT KEY Bitlocker does not manage any keys. https://www.linkedin.com/advice/0/what-best-practices-managing-tpm-keys-certificates#:~:text=The%20TPM%20can%20create%20and,platform%20configuration%20registers%20(PCRs).

BitLocker is a full-disk encryption feature provided by Microsoft Windows operating systems. It uses a root key, which is protected by the Trusted Platform Module (TPM) or other authentication mechanisms, to secure the encryption of data on the endpoint.

The correct answer is "B" (TPM). See https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/tpm-fundamentals "Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself." In PKI, there is no notion of a "root key". There is a "root certificate", which key is usually stored in a HSM, but this key is not called a root key. Therefore, answer "D" is incorrect. The question is "secure and efficient method of encrypting data on an endpoint", meaning Bitlocker, however, Bitlocker does not include a root key, but a TPM does.

A Hardware Security Module (HSM) is a secure physical device that provides cryptographic functions and key management. HSMs are specifically designed to secure and manage cryptographic keys, including root keys, in a tamper-resistant and highly secure environment. They offer a robust solution for encrypting data on an endpoint by safeguarding the encryption keys used in the process.

D. Hardware security module (HSM). A hardware security module (HSM) is a dedicated physical device that provides secure cryptographic operations and key management. It includes a root key, which is a master key that is used to generate and manage other keys within the HSM. The root key is securely stored within the HSM, ensuring its confidentiality and protection. While TPM provides secure storage for encryption keys, it does not specifically include a root key. The root key mentioned in the question typically refers to a master key or a key hierarchy used in key management systems like Hardware Security Modules (HSMs). HSMs are specialized devices that offer more advanced key management functionalities and are often used in high-security environments. So, while TPM is a valid solution for secure and efficient endpoint encryption, it does not explicitly include a root key as mentioned in the question.

HSM includes a root key.

on top of all the CISSP study guide and student edition mentions - "Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself. The private portion of a storage root key or endorsement key that is created in a TPM is never exposed to any other component, software, process, or user." https://security.stackexchange.com/questions/181539/how-are-bitlocker-fde-keys-stored-in-the-tpm

An endpoint is any device that is physically an end point on a network. Laptops, desktops, mobile phones, tablets, servers, and virtual environments can all be considered endpoints. what can be installed on all end points?

Solution is Bitlocker and storing location is TPM.. Ans: A