Motherboard swap - take ownership, Motherboard swap - enroll user – Lenovo ThinkVantage Client Security Solution 8.3 User Manual
Page 30
The following diagram provides the structure for the motherboard swap - take ownership:
Motherboard Swap - Take Ownership
Trusted Platform Module
Decrypted via derived AES Key
System Leaf Private Key
Store Leaf Private Key
System Leaf Public Key
Store Leaf Public Key
System Base Private Key
System Base Public Key
If Passphrase
loop n times
CSS Admin PW/PP
One-Way Hash
System Base AES
Protection Key
(derived via output
of hash algorithm)
Figure 3. Motherboard Swap - Take Ownership
As each user logs onto the system, the User Base Key is automatically decrypted through the User Base
AES Protection Key derived from user authentication and imported to the new SRK created through the
Client Security Solution Administrator. The following diagram provides the structure for the motherboard
swap - enroll user:
To login a second user after the chip has been cleared or after you replace the motherboard, you must login
as the master administrator. The master administrator will be prompted to restore the keys. Once the key
restoration has been completed, use Policy Manager to disable the Client Security Windows logon. The
remaining users will be able to restore their respective keys. Once all secondary users have restored their
keys, the master administrator can enable the Client Security Solution Windows logon feature.
The following diagram provides the structure for the motherboard swap - enroll user:
Motherboard Swap - Enroll User
Trusted Platform Module
Decrypted via derived AES Key
Storage Root Private Key
Storage Root Public Key
User Leaf Private Key
User Leaf Public Key
Windows PW AES Key
PW Manager AES Key
User Base Private Key
User Base Public Key
If Passphrase
loop n times
User PW/PP
One-Way Hash
User Base AES
Protection Key
(derived via output
of hash algorithm)
Figure 4. Motherboard Swap - Enroll User
24
Client Security Solution 8.3Deployment Guide