Take ownership – Lenovo ThinkVantage (Client Security Solution 8.21) User Manual

enrolled as an active user. Every other user that logs into the system will be automatically requested to enroll
into Client Security Solution.

• Take Ownership

A single Windows administrator user ID is assigned as the sole Client Security Solution Administrator
for the system. Client Security Solution administrative functions must be performed through this user
ID. The Trusted Platform Module authorization is either this user’s Windows password or Client Security
passphrase.

Note: The only way to recover from a forgotten Client Security Solution Administrators password or
passphrase is to either uninstall the software with valid Windows permissions or to clear the security chip
in BIOS. Either way, the data protected through the keys associated with the Trusted Platform Module
will be lost. Client Security Solution also provides an optional mechanism that allows self-recovery of
a forgotten password or passphrase based on a question and answer challenge response. The Client
Security Solution Administrator makes the decision whether to use the feature or not.

• Enroll User

Once the Take Ownership process is completed and a Client Security Solution Administrator is created,
a User Base Key can be created to securely store credentials for the currently logged on Windows
user. This design allows for multiple users to enroll into Client Security Solution and leverage the single
Trusted Platform Module. User keys are protected through the security chip, but actually stored off
the chip on the hard drive. This design creates hard drive space as the limiting storage factor instead
of actual memory built into the security chip. The number of users that can leverage the same secure
hardware is vastly increased.

Take Ownership

The root of trust for Client Security Solution is the System Root Key (SRK). This non-migratable asymmetric
key is generated within the secure environment of the Trusted Platform Module and never is exposed to
the system. The authorization to leverage the key is derived through the Windows Administrator account
during the TPM_TakeOwnership command. If the system is leveraging a Client Security passphrase, then the
Client Security passphrase for the Client Security Solution Administrator will be the Trusted Platform Module
authorization, otherwise it will be the Client Security Solution Administrator’s Windows password.

With the SRK created for the system, other key pairs can be created and stored outside of the Trusted
Platform Module, but wrapped or protected by the hardware-based keys. Since the Trusted Platform
Module, which includes the SRK is hardware and hardware can be damaged, a recovery mechanism is
needed to make sure damage to the system does not prevent data recovery.

In order to recover a system, a System Base Key is created. This asymmetric storage key enables the Client
Security Solution Administrator to recover from a system board swap or planned migration to another
system. In order to protect the System Base Key, but allow it to be accessible during normal operation or
recovery, two instances of the key is created and protected by two different methods. First, the System
Base Key is encrypted with an AES Symmetric Key that is derived from knowing the Client Security Solution
Administrator's password or Client Security passphrase. This copy of the Client Security Solution Recovery
Key is solely for the purpose of recovering from a cleared Trusted Platform Module or replaced system board
because of hardware failure.

The second instance of the Client Security Solution Recovery Key is wrapped by the SRK to import it to the
key hierarchy. This double instance of the System Base Key allows the Trusted Platform Module to protect
secrets bound to it below in normal usage and allows for a recovery of a failed system board through the
System Base Key that is encrypted with an AES Key unlocked by the Client Security Solution Administrator
password or Client Security passphrase. Next, a System Leaf Key is created. This key is created to protect
system level secrets such as the AES Key.

18

Client Security Solution 8.21Deployment Guide