Exam CISSP topic 1 question 98 discussion

Solution is Bitlocker and storing location is TPM.. Ans: A

A TPM is a specific device to keep it's own keys secure (source of identity) While an HSM is a general device to secure foreign keys (verify identity)

Not A. BitLocker is a full disk encryption tool that can use TPM to protect keys, but it does not include a root key itself — it relies on TPM for that. Not C. VSAN is a virtualized storage infrastructure concept, not a cryptographic or key management solution. Not D. HSM can manage root keys, but it is typically used in enterprise or server environments, not individual endpoints.

TPM is a hardware component that stores cryptographic keys securely, including the root key used for encryption, but by itself, it is not an encryption solution.

changing to A, just realised that the keyword is encryption. and bitlocker only provide encryption when TPM is used along with bitlocker it uses root key. but TPM itself is not a encryption method.

TPM is right. bitlocker can work without TPM as well. however bitlocker + TPM improves security.

The solution that includes a root key is: B. Trusted Platform Module (TPM). A Trusted Platform Module (TPM) is a hardware-based security device that provides secure generation and storage of cryptographic keys, including root keys. It is designed to ensure the integrity of the platform and can be used to securely encrypt data on an endpoint. While BitLocker is a robust encryption solution, it does not inherently include a root key. BitLocker works in conjunction with a Trusted Platform Module (TPM) to provide enhanced security, but the TPM is the component that generates and stores the root key. BitLocker itself is a software feature that encrypts entire volumes and relies on the TPM for secure key management. In contrast, the TPM is specifically designed to generate, store, and manage cryptographic keys, including root keys, making it the correct answer for a solution that includes a root key.

The solution (Bitlocker) includes the use of a root key, which is stored in the TPM

A Trusted Platform Module (TPM) is a hardware-based security feature that includes a root key stored in a secure cryptographic processor. TPM is used for encryption, secure boot, and system integrity verification. It helps in securely encrypting data on endpoints by managing encryption keys, such as those used by BitLocker in Windows.

The Bitlocker use Root Key for the encryption and stores Root key in TPM

While BitLocker can leverage TPM for secure key storage and encryption, it does not include a root key itself. The root key comes from the TPM, not BitLocker.

BitLocker is a full disk encryption feature built into Windows that uses a root key to encrypt the data on an endpoint. The root key is typically protected using a Trusted Platform Module (TPM) chip, which provides hardware-based security for the encryption keys, ensuring that they are not easily accessible or tampered with.

Bitlocker is the only encryption solution listed, and it does include a root key. TPM and HSM can store these keys.

Comparison: TPM: Integrated into endpoint devices. Secure storage of root keys. Used for disk encryption (e.g., BitLocker). Cost-effective for individual devices. HSM: External hardware used in server environments. Provides high-security key management for enterprise applications. More expensive and complex to implement on individual endpoints.

HSMs are nothing to do with endpoints.

OSG - A TPM is an example of a hardware security module (HSM). So, D includes B.

TPM = endpoint device