Key Transfer Manager
Frequently Asked Questions
Click on the question to show the answer. Expand All Answers
What is Key Transfer Manager (KTM)?
Key Transfer Manager (KTM) is a key archive system for end-users and enterprises that need a straightforward and automated method to securely archive, restore, and transfer TPM encryption keys and some associated data. When used with Wave’s EMBASSY Key Manager Server (EKMS), enterprises have a way to manage the critical issue of ensuring that encryption keys are not lost easily across their network.
What scenarios does Key Transfer Manager (KTM) cover?
The Trusted Platform Module (TPM) security chip generates and stores cryptographic keys in hardware for use by secure applications. Windows does not provide backup and recovery procedures for these keys. Key Transfer Manager assists in the backup and recovery of keys generated by the TPM security chip for scenarios, such as:
- Hard drive failure.
- Motherboard or TPM chip malfunction.
- Transfer to a new trusted PC.
- Recovery of certificates or keys on the original platform, should the need arise.
Will using Key Transfer Manager ensure that I can recover my secure data?
Using KTM ensures that you can recover certain keys that are used to unlock your secure data. You must use another backup and restore mechanism for any data that is encrypted by these keys as KTM does not backup and restore this data.
Some keys, however, may only be used for authentication and not encryption, so no separate data may need to be backed up. For example, to recover e-mail encrypted by TPM keys, KTM can back up and restore the key and certificate, but the encrypted e-mails must be backed up and restored through another means.
With Document Manager, KTM can back up and restore the encryption key, but the encrypted data in the Document Manager Vault location should be backed up separately.
Does Key Transfer Manager (KTM) come with the standard Dell security software?
No. The Wave software that is preinstalled on Dell systems includes a basic archive and restore function that allows users to manually archive to and restore from a media location (USB device, network location, etc.). KTM is provided with an upgraded enterprise package that is available from either Dell or Wave.
How does Key Transfer Manager work?
After your install and setup of KTM, usually through the install of the full EMBASSY Trust Suite or the enterprise upgrade package, the program initiates a full backup of TPM keys that you have created to that point. If not automatically prompted to do a full backup, open up the EMBASSY Security Center, click on Archive & Restore and choose “Archive TPM Keys for the Current User”. Subsequent to the setup, Key Transfer Manager runs in the background.
When an application requests keys to be generated (typically using the Wave TCG-Enabled Cryptographic Service Provider [CSP] software), the keys will be archived automatically, if you have Automatic Archiving selected and your archive location is accessible. If you do not have these options, you can either manually archive the keys or set up a schedule to archive on certain days and times. Once you have the data archived, you can restore when needed by opening up the EMBASSY Security Center, selecting Archive & Restore and choosing “Restore TPM Keys for the Current User”.
How does EKMS work with KTM?
The Key Transfer Manager (KTM) client software formats the TPM-secured keys, certificates and passwords into individual migration packages and securely transmits them to the EKMS server for storage and subsequent recovery. Retrieval of the archived information requires authorized access based upon company’s security policy settings. Using EKMS, an IT administrator can perform activities on archives, such as master password reset, assigning archives to be downloaded to different clients, and more.
Does Key Transfer Manager (KTM) require Embassy Key Management Server (EKMS) and vice versa?
KTM can work without EKMS, but EKMS requires KTM. If you upgrade to the enterprise package of the EMBASSY Trust Suite, then KTM will ensure that you have an automated way to archive TPM keys and associated data. Other functions, such as a scheduler and detailed view of all TPM keys and certificates are provided as well. Purchasing EKMS ensures that you receive the KTM client for all systems that contain TPMs.
How do I start Key Transfer Manager?
Under normal conditions, Key Transfer Manager automatically starts when you start Windows. It runs in the background, and will automatically archive keys as they are created. To perform other functions of Key Transfer Manager, open up the EMBASSY Security Center and click on Archive & Restore. If Key Transfer Manager is installed, the proper tab will display and you can perform any manual functions there, such as scheduling a periodic backup to ensure that all TPM keys and TPM-specific data are archived.
Can I create more than one key archive?
Yes, you may have archives of keys in multiple locations, including an EKMS server, unless you are connected to a network where your system administrator sets a policy to not allow this. With multiple locations, however, only one location is “selected” or active at any one time. When a key is created and an archive action is initiated, it will be archived to the current archive location as specified in the Settings windows.
How do I ensure that my TPM keys are archived?
First, ensure that an initial archive is created after setting up the archive location. You can do this by manually choosing “Archive Keys for the Current User” in the EMBASSY Security Center Archive & Restore tab. We suggest that you set both the Automatic Archiving option in Settings and create a daily schedule for archiving to ensure that new keys are archived quickly after being created. You can view individual keys and archives through the Advanced window.
Are all TPM keys backed up?
TPM keys that are allowed to be backed up are called “migratory” or “migratable” keys. Non-migratory keys are not able to be backed up. The application that initiates the key(s) to be created sets this property. Generally, keys used to encrypt data are able to be migrated (backed up).
How do I access the archive and restore commands? How do I get to the KTM menu of commands?
You can access these commands for all TPM keys through the EMBASSY Security Center Archive & Restore tab. If you select the Advanced option from this window, you are able to perform Archive and Restore commands on individual keys. Automatic and scheduled archiving relieves you of having to remember to manually archive your TPM keys.
What do I need to do to restore keys?
First, ensure that the TPM is working. In other words, all TPM-related software must be installed and you should have the TPM Owner password (indicates ownership). Next, ensure that Key Transfer Manager is installed on the PC and the archive location points to the file or files where you are restoring keys from. Third, have your key archive password available (if not using EKMS). Open up the EMBASSY Security Center and select “Restore TPM Keys for the Current User” and enter your key archive password when prompted.
Where are the archives stored?
Archives are stored wherever you or your administrator chose to store them during the KTM setup. The Settings window will show you the archive location or locations and which location is currently selected. Choosing the Details button from the Settings window will show you the individual location as well (you may need to click and drag the right-hand border of the value field outside of the window to view long filenames). Alternatively, the top tree hierarchy in the Archive tab from the Advanced menu also points to the location.
Why do you recommend not creating an archive on the local hard drive?
Wave recommends that you do not choose archive locations on your local hard drive for recovery in the case of a hard drive failure. The TPM and associated software stores some data on the local hard drive and if the archive is also stored on the local hard drive and the hard drive crashes, recovery of TPM keys would not be possible. Other common locations for archives could be USB flash drives, network drives or any media to which you can save files or data.
What is the TPM Owner password and why does the setup wizard require it?
The TPM Owner password is an administrator password that is required to start using the TPM security chip (it is created during a process called “Take Ownership”). The Trusted Computing Group (TCG) specifications require this password to be provided when creating a new location to store archived TPM keys. The TPM Owner password is only required when initially setting up the archive location to the EMBASSY Key Management Server or when creating an archive in a new location. It is not required for each backup operation and is not required for a restore operation.
What if I forget my TPM Owner password?
If a system administrator initialized your TPM’s security system and created this password, they may be able to provide it to you. If you did the initial setup, but cannot remember it, you will need to reset the TPM, which will initialize the TPM chip and clear all of your TPM keys. Most system manufacturers only allow the reset or clear operation to be done through the BIOS. Check with your PC or motherboard manufacturer on how to do this.
Why do I need to create a key archive password? When will I need it?
When you create a new location to store your archived TPM keys, these keys are protected (encrypted) and a password is required to initiate any key recovery process for security reasons. If you are archiving keys to your company’s EKMS server, the security profile is such that a key archive password is not requested or required.
Why does the setup wizard say “Save to my TCG Security Password Vault” for my key archive password?
When you have the EMBASSY Security Center installed, you can save key archive passwords and TPM key passwords in a secure location (called the TCG Security Password Vault). If you save the password, then when you are required to use it, you can instead enter your Windows password or fingerprint (depending on your EMBASSY Security Center settings). You can also view the saved key archive password through the EMBASSY Security Center.
Why does the setup wizard require me to specify two archive locations?
If you are not using EKMS, your Settings menu has the option selected to “Separate Restoration Key from Key Archive for Enhanced Security.” In this case, the TPM key archives, which are encrypted, are stored in one location, while the restoration key (password-protected secret) to unlock the archives is stored in a separate location. In this instance, if someone had access to your archive file and your archive password, but didn’t have access to the restoration key because it is stored in a different location, then they still cannot access your archived TPM keys. While this adds security to your archived keys, for a successful restore, you are required to have access to both locations and to remember your key archive password.
Can I work with individual TPM keys? If so, how do I identify them?
Yes. The KTM Advanced window allows you to select individual keys, view their properties, view certificates associated with them and to archive or restore them individually. In certain instances, you may want to set up a new archive location and manually select which keys are backed up to this location. Keys that can be archived are in bold font. Some keys are identifiable by data that is displayed with them. For example, keys with certificates have the certificate identifier associated with them. Also, Wave applications have a key descriptor that allows you to identify what application generated the keys.
If my TPM key is password-protected, is the password archived along with the key?
The password is only archived along with the key if you are using the EMBASSY Security Center to manage this password. If you have saved the TPM key’s password in your TCG Security Password Vault (by checking the box on the window when you create or enter the password), then you will need to authenticate when this key is backed up and when it is restored to ensure that the password is securely archived and restored. If you have not saved the TPM key’s password, then it is not archived and you must remember the password when prompted by the original application. Note: TPM key passwords usually appear as passwords for applications. For example, the password to log in to Private Information Manager is actually a TPM key password and a password to open a Document Manager Vault is a TPM key password. Not all TPM keys require passwords.
Why does KTM sometimes ask me to enter a password to archive or restore a key?
This will only happen if you have saved the TPM key’s password in the TCG Security Password Vault through your EMBASSY Security Center (ESC) settings. Your Windows password and/or fingerprint is required to access the key’s password so that it can be archived securely along with the key (or restored along with the key).
If my TPM key has a certificate associated with it, is the certificate archived along with the key?
Yes. Certificates associated with TPM keys are backed up with the key as long as the certificates have been installed when the key is backed up. If the key backup happens before the certificate is installed, the certificate will be archived with the next backup. You may also perform a manual archive after installing a certificate to archive the certificate. The benefit of backing up a certificate with the TPM key is that, if you lose the certificate but still have access to the TPM key, you can restore the certificate through Key Transfer Manager. Also, when restoring keys on a new PC, the certificate is required to accompany the keys for proper use.
Can I delete keys from my archive?
Yes. You can delete keys from an archive by using the Advanced menu. However, unless these keys are deleted from your TPM’s key hierarchy, they will be archived again. Individual applications usually control whether keys are deleted from the TPM’s key hierarchy.
How do I know if my key is being backed up?
When archiving a key, Key Transfer Manager will display a message that indicates a backup is being created when a key is created. You may also view the archives that have been created through the Advanced menu option.
How do I know what the keys are used for?
Keys are used for a variety of functions such as encrypting data (documents, e-mail, and passwords), signing data (digital signatures, authentication) and more. Review the application’s documentation to determine how and when TPM keys are used.
What happens if I create a key when my archive location is not available?
The next time a key archive is initiated and your archive location is accessible, this key will be backed up. This archive can be initiated in multiple ways, as follows:
- By manually selecting “Archive TPM Keys…” from the KTM menu.
- When another key is created.
- By requesting a restore.
- When a scheduled archive operation runs on schedule
If you need additional information, please submit a Support Request Form. Customer Service will contact you within one business day with a response to your inquiry. To ensure quality customer service, please include your email address and a detailed description of the issue/inquiry.