Enroll user, System level key structure - take ownership – Lenovo ThinkVantage Client Security Solution 8.3 User Manual

The following diagram provides the structure for the System Level Key:

System Level Key Structure - Take Ownership

Trusted Platform Module

Encrypted via derived AES Key

Storage Root Private Key

Storage Root Public Key

System Leaf Private Key

System Base Private Key

System Leaf Public Key

System Base Public Key

System Base Private Key

System Base Public Key

If Passphrase

loop n times

CSS Admin PW/PP

One-Way Hash

One-Way Hash

System Base AES

Protection Key

(derived via output

of hash algorithm)

Auth

Figure 1. System Level Key Structure - Take Ownership

Enroll User

In order to have each user’s data protected by the same Trusted Platform Module, each user will have their
own user base key created. This asymmetric storage key can be migrated and is also created twice and
protected by a symmetric AES Key generated from each user’s Windows password or Client Security
passphrase.

The second instance of the User Base Key is then imported into the Trusted Platform Module and protected
by the system SRK. With the User Base Key created, a secondary asymmetric key called the User Leaf Key
is created. The User Leaf Key protects individual secrets such as the Password Manager AES Key used to
protect internet logon information, password used to protect data, and the Windows password AES Key
used to protect the access to the operating system. Access to the User Leaf Key is controlled by the user’s
Windows password or Client Security Solution passphrase and is automatically unlocked during logon.

Chapter 3

.

Working with Client Security Solution

21