Trusted Platform Module Ownership - Intel D915GUX Specification

Intel Desktop Board D915GUX/D915GHA Technical Product Specification
etc.), and have them available for future use. These documents should be updated after any
password changes.
1.13.3.2 Emergency Recovery File Back Up Procedures
The Emergency Recovery Token (SPEmRecToken.xml) must be saved or moved to a removable
media (floppy, USB drive, CDR, flash media, etc). Once this is done, the removable media should
be stored in a secure location. DO NOT LEAVE ANY COPIES of the Emergency Recovery
Token on the hard drive or within any hard drive image backups. If a copy of the Emergency
Recovery Token remains on the system, it could be used to compromise the Trusted Platform
Module and platform.
After completing the Infineon Security Platform User Initialization Wizard, a copy of the
Emergency Recovery Archive (SPEmRecArchive.xml) should be copied to a removable media
and stored in a secure location. This procedure should be repeated after any password changes or
the addition of a new user.
1.13.3.3 Hard Drive Image Backup Procedures
To allow for emergency recovery from a hard drive failure, frequent images of the hard drive
should be created and stored in a secure location. In the event of a hard drive failure, the latest
image can be restored to a new hard drive and access to the encrypted data may be re-established.
NOTE
All encrypted and unencrypted data that was added after the last image was created will be lost.
1.13.3.4 Clear Text Backup (Optional)
It is recommended that system owners follow the Hard Drive Image Backup Procedures. To
backup select files without creating a drive image, files can be moved from secured programs or
drive letters to an unencrypted directory. The unencrypted (clear text) files may then be backed up
to a removable media and stored in a secure location. The advantage of the clear text backup is
that no TPM key is required to restore the data. This option is not recommended because the data
is exposed during backup and restore.

1.13.4 Trusted Platform Module Ownership

The Trusted Platform Module is disabled by default when shipped and the owner/end customer of
the system assumes "ownership" of the TPM. This permits the owner of the system to control
initialization of the TPM and create all the passwords associated with the TPM that is used to
protect their keys and data.
System builders/integrators may install both the Infineon Security Platform software and the Wave
System EMBASSY Trust Suite, but SHOULD NOT attempt to use or activate the TPM or either
software package.
44