EMBASSY Key Management Server
The Solution for Trusted Computing Key Management
As the new generation of PCs with Trusted Platform Module security get deployed, businesses must provide administration and management for the new trusted systems. Wave System's EMBASSY Key Management Server addresses the most pressing infrastructure issue for today's trusted computing marketplace: to provide enterprise-class backup and transition of the TPM encryption keys — called migration.
Migration and TPM key recovery is vital for all businesses and especially those needing to retain access to encrypted data for a predetermined time. EMBASSY Key Management Server eliminates the risk of serious data loss in the event that a TPM security chip or hard drive is corrupted. Further, transferring data to a replacement PC requires an expedient and secure process for transferring the appropriate TPM-secured keys.
EMBASSY Key Management Server (EKMS) is a server software product for secure backup and restoration of protected keys from one TPM-enabled system to another according to security policies defined on the server.
The KTM client software formats TPM-secured keys into individual migration packages and securely transmits them to the server for storage and subsequent recovery. Retrieval of the archived information requires authorized access based upon the enterprise's security policy settings.
EMBASSY Key Management Server offers advantages beyond currently available solutions by giving the user and IT manager a straightforward way to ensure compliance and protection. By allowing IT administrators to have control over the backup and the security of the data, the business is satisfied that its TPM-secured intellectual property assets are secure and recoverable.
- Hardware Security Module — With EMBASSY Key Management Server, keys are never exposed outside of the server's secure hardware when using a Hardware Security Module (HSM). EMBASSY Key Management Server uses IBM's 4758 PCI Cryptographic Coprocessor, which is an option allowing the server to deliver the highest security and data integrity for TCG migration services.
- Active Directory — EMBASSY Key Management Server uses Active Directory for user authentication and policy management. Access control and authentication is achieved by role-based authentication and is integrated with Active Directory user authentication.
- User Transfer — An administrator can designate migration packages be downloadable by a different authorized user or user group, which is helpful during employee turnover.
- Automated Client Setup Options — EMBASSY Key Management Server supports automated software distribution technologies for the client install such as Windows Server 2003 Group Policy and Microsoft SMS. EKMS includes unique features so that software administrators can centrally install and manage the client deployments throughout the organization. KTM client software may be installed and configured, and can then perform the initial archive without user intervention.
- Policy-Driven — EMBASSY Key Management Server is policy-driven and designed to work with trusted platforms and enterprises having different security policies. The policy editor allows an administrator to set policies. Policies are administered through Active Directory and the server policies override client settings.
- Easy Administration — EMBASSY Key Management Server's administrative interface is through a Microsoft Management Console (MMC) snap-in application. EKMS Administrators are conventional domain members with privileges to execute EKMS administrator actions.
- Reduced Support Costs — Controls potential data loss and results in less employee downtime during platform malfunction or transfer. Easy-to-use and hassle-free solution reduces the need for end-user support.
- Greater Productivity — Faster and more complete recovery during times of TPM malfunction, platform replacement and application-based key restoration. Conveys confidence of protection to the end-user.
- Simplified Administration — More efficient processes for IT administration of trusted platforms as they are deployed in the business setting.
- Heightened Security — Secure remote archival of TPM-secured intellectual property assets with adaptable security policies. Optional credential verification of TPM to prevent software emulation programs from gaining access to keys.
- Better Control — Enterprise control and management of sensitive TPM data, with authentication of users.
- Increased Flexibility — Policy management that allows for flexibility in user actions, authentication, restoring to a new user and more.
- Key Escrow Capabilities — Server architecture provides enterprises with key escrow system capabilities.
- Familiar Interface — Actions and underlying functions are familiar for administrators in an Active Directory environment.