This option
is ideal if your servers are generally in a secure location to begin with or if they are
remotely located so that you cannot easily interact with the system during the startup
process.
TPM Plus PIN
While TPM only authentication beats not having any authentication whatsoever, it is
still slightly vulnerable since the TPM contains all the data required to authorize unlocking
the volumes. One way to mitigate this risk is to leverage multifactor authentication.
In this case, we can also require that a PIN be entered in addition to the TPM checks to
succeed. TPM plus PIN method combines the data from a 4- to 20-digit PIN encoded in
SHA256 with the TPM??™s 2048-bit key to unlock the volume. Requiring that a PIN be entered
increases the level of security, since one of the keys needed to retrieve the volume
338 Microsoft Windows Server 2008 Administration
master key is no longer physically on the system but rather in someone??™s head (and,
hopefully, not written on a piece of paper next to the server).
TPM Plus Startup Key
This authentication method is similar to the TPM plus PIN method, except that instead
of typing a PIN, we are required to insert a USB flash drive containing a startup key. The
2048-bit TPM key reads the hash values in the PCR and generates a 256-bit intermediate
key. This intermediate key is then masked with the 256-bit startup key using the XOR
(Exclusive OR) operator to retrieve a second 256-bit intermediate key that then unlocks
the volume master key.
Pages:
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380