The volumes are protected using a 256-bit full-volume
encryption key. This key is then protected by a 256-bit volume master key. The volume master
key is in turn protected by several methods, depending on the authentication method
you have specified. The following authentication methods are available:
?–? TPM only
?– TPM plus PIN (4??“20 digits)
?– TPM plus startup key
?– Clear key
?– Startup key or recovery key
?–? Recovery password
Each method provides various levels of protection for the volume master key. Your
selection of a method depends on your environment or particular scenario and requirements
for balancing the need to safeguard the data with ease of use and recoverability.
TPM Only Authentication
As its name implies, TPM only authentication means that the volume is unlocked directly
by the TPM using a 2048-bit key. This provides a good but relatively low level of security,
because starting the system physically will simply boot it up as normal, since the TPM
will automatically unlock the drive as long as the startup files are not altered. It protects
the data on the volume only from being read from a completely different system. By
moving the hard drive to a different computer or replacing a motherboard, the TPM will
no longer match and the server will not boot unless a successful recovery takes place.
TPM only authentication method also protects the system by ensuring that the startup
files are not tampered with, in which case it would fail the checks in the TPM.
Pages:
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379