HP ProtectTools Security Software 2010 - Technical White Paper

Q. If a TPM encrypted file is copied moved to a second system which does not have the key to

decrypt the file, what would happen to the file. W ould it remain on the second as an unreadable file

or would it be automatically deleted? W ould the user of the second system be able to delete the file

even if he does not have the decryption keys? Is there a solution to automatically delete such files?

A. Th i s depends on the application being used to move data from one system to the other. If the

application reads the data, repackages it and sends to another platform (say you email an

encrypted file on your system), then the data/ file is typically read/ accessed by your email

program, thereby unencrypting it. Now the email program may indeed encrypt the data across

the internet if that option is selected, but the TPM is no longer in the picture protecting data. This is

true of any data on your system encrypted by M SFT EFS (Microsoft' s Encrypting Filesystem where

TPM can be used to protect the file/ folder encryption keys) and also same for files encrypted

within PSD (" ProtectTools' " Personal Secure Drive). It is possible to have file remain encrypted no

matter where it resides but typically in those types of applications the file is changed. For instance

from "hello.doc" to hello.doc.enc" or some way of showing then that actual file is encrypted and a

separate program must process the file before it's readable.

Q. Regarding the TPM chip itself, does it store any user specific information? If so, how can one

clear it?

A. Th e r e is no user data in the TPM , however if required, the TPM can be cleared via F10 BIOS to

return to factory default/ cleared state.

Q. W hat is the Credential Manager module for HP ProtectTools?

A. Please refer to the " Credential M anager for HP ProtectTools" section of the white paper.

Q. How does Credential Manager differ from other single-si g n-on solutions?

A. Most technologies and features provided by HP ProtectTools Security Manager are individually

available. The value of HP ProtectTools is that it brings these technologies together into a single

easy to use security solution. As an HP ProtectTools add-on, the features provided by Credential

Manager are integrated into HP ProtectTools and work with the user authentication features of HP

ProtectToo ls.

Q. Does Credential M anager for HP ProtectTools use the embedded security chip if available?

A. Yes, Credential Manager uses the embedded security chip, if available, to encrypt passwords

stored in the password vault.

Q. Does Credential M anager for HP ProtectTools support multiple users on a single client device?

A. Yes, Credential Manager works on the concept of " identity" . In order to log on to a computer,

a user simply needs to create a Credential Manager ID.

Q. W hat if a user has multiple Microsoft W i nd ow s a ccounts?

A. This would function the same as multiple users on a single PC. The user would have to create a

different identity for each account.

Q. W hat is the difference between user and administrator rights for Credential Manager for HP

Pr o t e c t Tools?

A. An administrator has full rights to all Credential Manager Configuration options. A user can use

the Credential Manager for authentication and use the single sign-on features, but does not have

access to the Authentication and Credential configuration or the Advanced Settings.