System board swap – Lenovo ThinkVantage Client Security Solution 8.3 User Manual

The TPM emulation mode cannot be used as a secure substitute for the TPM. The TPM provides the
following two key protection methods that are more secure than the TPM emulation mode.

• All keys used by the TPM are protected by a unique root-level key. The unique root-level key is created

inside the TPM and cannot be seen or used outside of the TPM. In the TPM emulation mode, the
root-level key is a software-based key stored on the hard disk drive.

• All private key operations are performed within the TPM, so that the private key material for any key is

never exposed outside of the TPM. In the TPM emulation mode, all private key operations are performed
in the software, so there is no protection of the private key material.

The TPM emulation mode is primarily for the user who is less concerned about the security and more
concerned about the system logon speed.

System board swap

A system board swap infers that the old SRK to which keys were bound to is no longer valid, and another
SRK is needed. This can also happen if the Trusted Platform Module is cleared through the BIOS.

The Client Security Solution Administrator is required to bind the system credentials to a new SRK. The
System Base Key will need to be decrypted through the System Base AES Protection Key derived from
the Client Security Solution Administrator’s authorization credentials.

If a Client Security Solution Administrator is a domain user ID and the password for that user ID was changed
on a different machine; the password that was last used when logged onto the system needing recovery
will need to be known in order to decrypt System Base Key for recovery. For example, during deployment
a Client Security Solution Administrator user ID and password will be configured, if the password for this
user changes on a different machine, then the original password set during deployment will be the required
authorization in order to recovery the system.

Follow these steps to perform the system board swap:

1. Client Security Solution Administrator logs on to operating system.

2. Logon-executed code (cssplanarswap.exe) recognizes the security chip is disabled and requires reboot

to enable. (This step can be avoided by enabling the security chip through the BIOS.)

3. System is rebooted and security chip is enabled.

4. The Client Security Solution Administrator logs on; the new Take Ownership process is completed.

5. System Base Key is decrypted using system base AES Protection Key that is derived by the Client

Security Solution Administrator’s authentication. System Base Key is imported to the new SRK and
re-establishes the System Leaf Key and all credentials protected by it.

6. The system is now recovered.

Note: System board swap is not needed when using Emulation Mode.

Chapter 3

.

Working with Client Security Solution

23