Key Transfer Manager

To specialize your search, enter a keyword, phrase or question in the box below.

Frequently Asked Questions

Click on the question to show the answer. Expand All Answers

1. Can I create more than one key archive?

   Yes, you may have archives of keys in multiple locations – unless you are connected to a network where your system administrator set a policy to not allow this. With multiple locations, however, only one location is “selected” or active at any one time. When a key is created and an archive action is initiated, it will be archived to the current archive location as specified in the Settings windows.

2. How does Key Transfer Manager work?

   After your install and setup of KTM, the program initiates a full backup of TPM keys that you have created to that point. If not automatically prompted to do a full backup, right-click on the KTM icon (key with green arrow) in the Windows system tray and choose “Archive TPM Keys…” Subsequent to the setup, Key Transfer Manager runs in the background.

   When an application requests keys to be generated (typically using the Wave TCG-Enabled Cryptographic Service Provider [CSP] software), the keys will be archived automatically,if you have Automatic Archiving selected and your archive location is accessible. If you do not have these options, you can either manually archive the keys or set up a schedule to archive on certain days and times. Once you have the data archived, you can restore when needed by clicking on the KTM icon in the Windows system tray and choose “Restore TPM Keys…”

3. How do I ensure that my TPM keys are archived?

   First, ensure that an initial archive is created after setting up the archive location. We suggest that you set both the Automatic Archiving option in Settings and create a daily schedule for archiving to ensure that new keys are archived quickly after being created. You can view individual keys and archives through the Advanced window.

4. Are all TPM keys backed up?

   TPM keys that are allowed to be backed up are called “migratory” or “migratable” keys. Non-migratory keys are not able to be backed up. The application that initiates the key(s) to be created sets this property. Generally, keys used to encrypt data are able to be migrated (backed up).

5. How do I access the archive and restore commands? How do I get to the KTM menu of commands?

   You can access these commands for all TPM keys through a right mouse click on the KTM icon (key with green arrow) in the Windows system tray (bottom right-hand corner of your screen). This brings up the KTM menu. If you select the Advanced option from this menu, you are able to perform Archive and Restore commands on individual keys. Also, if you have the EMBASSY Security Center application, these commands can be accessed from the Key Transfer Manager tab. Automatic and scheduled archiving relieves you of having to remember to manually archive your TPM keys.

6. Where are the archives stored?

   Archives are stored wherever you or your administrator chose to store them during the KTM setup. The Settings window will show you the archive location or locations and which location is currently selected. Choosing the Details button from the Settings window will show you the individual location as well (you may need to click and drag the right-hand border of the value field outside of the window to view long filenames). Alternatively, the top tree hierarchy in the Archive tab from the Advanced menu also points to the location.

7. Why do you recommend not creating an archive on the local hard drive?

   Wave recommends that you do not choose archive locations on your local hard drive for recovery in the case of a hard drive failure. The TPM and associated software stores some data on the local hard drive and if the archive is also stored on the local hard drive and the hard drive crashes, recovery of TPM keys would not be possible. Other common locations for archives could be USB flash drives, network drives or any media to which you can save files or data.

8. What is the TPM Owner password and why does the setup wizard require it?

   The TPM Owner password is an administrator password that is required to start using the TPM security chip (it is created during a process called “Take Ownership”). The Trusted Computing Group (TCG) specifications require this password to be provided when creating a new location to store archived TPM keys.

9. What if I forget my TPM Owner password?

   If a system administrator initialized your TPM’s security system and created this password, they may be able to provide it to you. If you did the initial setup, but cannot remember it, you will need to reset the TPM owner, which will initialize the TPM chip. Most system manufacturers only allow this operation to be done through the BIOS. Check with your PC or motherboard manufacturer on how to do this.

10. Why do I create a key archive password? When will I need it?

    When you create a new location to store your archived TPM keys, these keys are protected (encrypted) and a password is required to initiate any key recovery process for security reasons. If you are archiving keys to your company’s KTM Enterprise Server, the security profile is such that a key archive password is not requested or required.

11. Why does the setup wizard say “Save to my TCG Security Password Vault” for my key archive password?

    When you have the EMBASSY Security Center installed, you can save key archive passwords and TPM key passwords in a secure location (called the TCG Security Password Vault). If you save the password, then when you are required to use it, you can instead enter your Windows password or fingerprint (depending on your EMBASSY Security Center settings). You can also view the saved key archive password through the EMBASSY Security Center.

12. Why does the setup wizard require me to specify two archive locations?

    Your Settings has the option selected to “Separate Restoration Key from Key Archive for Enhanced Security.” In this case, the TPM key archives, which are encrypted, are stored in one location, while the restoration key (password-protected secret) to unlock the archives is stored in a separate location. In this instance, if someone had access to your archive file and your archive password, but didn’t have access to the restoration key because it is stored in a different location, then they still cannot access your archived TPM keys. While this adds security to your archived keys, you are required to have access to both locations and remember your key archive password.

13. What is Key Transfer Manager (KTM)?

    Key Transfer Manager (KTM) is a key archive system for end-users and enterprises that need a simple, yet fully featured method to securely archive, restore, and transfer these keys and some associated data. When used with Wave's EMBASSY Key Manager Server (EKMS), enterprises have a way to manage this critical issue easily accross their network.

14. Can I work with individual TPM keys? If so, how do I identify them?

    Yes. The KTM Advanced window allows you to select individual keys, view their properties, view certificates associated with them and to archive or restore them individually. In certain instances, you may want to set up a new archive location and manually select which keys are backed up to this location. Keys that can be archived are in bold font. Some keys are identifiable by data that is displayed with them. For example, keys with certificates have the certificate identifier associated with them. Also, Wave applications have a key descriptor that allows you to identify what application generated the keys.

15. If my TPM key is password-protected, is the password archived along with the key?

    The password is only archived along with the key if you are using the EMBASSY Security Center to manage this password. If you have saved the TPM key’s password in your TCG Security Password Vault (by checking the box on the window when you create or enter the password), then you will need to authenticate when this key is backed up and when it is restored to ensure that the password is securely archived and restored. If you have not saved the TPM key’s password, then it is not archived and you must remember the password when prompted by the original application. Note: TPM key passwords usually appear as passwords for applications. For example, the password to log in to Private Information Manager is actually a TPM key password and a password to open a Document Manager Vault is a TPM key password. Not all TPM keys require passwords.

16. Why does KTM sometimes ask me to enter a password to archive or restore a key?

    This will only happen if you have saved the TPM key’s password in the TCG Security Password Vault through your EMBASSY Security Center (ESC) settings. Your Windows password and/or fingerprint is required to access the key’s password so that it can be archived securely along with the key (or restored along with the key).

17. If my TPM key has a certificate associated with it, is the certificate archived along with the key?

    Yes. Certificates associated with TPM keys are backed up with the key as long as the certificates have been installed when the key is backed up. If the key backup happens before the certificate is installed, the certificate will be archived with the next backup. You may also perform a manual archive after installing a certificate to archive the certificate. The benefit of backing up a certificate with the TPM key is that, if you lose the certificate but still have access to the TPM key, you can restore the certificate through Key Transfer Manager. Also, when restoring keys on a new PC, the certificate is required to accompany the keys for proper use.

18. Can I delete keys from my archive?

    Yes. You can delete keys from an archive by using the Advanced menu. However, unless these keys are deleted from your TPM’s key hierarchy, they will be archived again. Individual applications usually control whether keys are deleted from the TPM’s key hierarchy.

19. How do I know if my key is being backed up?

    When archiving a key, Key Transfer Manager will display a message in the lower right-hand corner of your screen that indicates a backup is being created when a key is created. You may also view the archives that have been created through the Advanced menu option.

20. How do I know what the keys are used for?

    Keys are used for a variety of functions such as encrypting data (documents, e-mail, passwords), signing data (digital signatures, authentication) and more. Review the application’s documentation to determine how and when TPM keys are used.

21. What do I need to do to restore keys?

    First, ensure that the TPM is working. In other words, all TPM-related software must be installed and you should have the TPM Owner password (indicates ownership). Next, ensure that Key Transfer Manager is installed on the PC and the archive location points to the file or files where you are restoring keys from. Third, have your key archive password available. Perform a right mouse click on the KTM icon (key with green arrow) in the Windows system tray and select “Restore TPM Keys…” and enter your key archive password when prompted.

22. Is EMBASSY® Trust Suite compatible with Vista?
    EMBASSY Trust Suite and Vista Compatibility
    

    Dell has released ETS "Lite" for Vista as version A14. This package includes Embassy Trust Suite, UPEK drivers, and the NTRU TSS. If your system shipped with a pre-installed copy of Embassy Trust Suite, you can obtain the Vista-compatible version from the Dell website.

    If you are upgrading from XP to Vista, Please follow the upgrade instructions:
    XP to Vista Upgrade
    

    ETS Enterprise Security Dell Edition 3.x and Wave ETS 6.x fully support the Windows Vista OS.

    Previous versions of these products do not support the Windows Vista OS.
    

    Upgrading to a Vista-compatible version of ETS

    • Dell customers should visit the Dell website for updates. (For more information on obtaining updates for your Dell computer, please see the following article PBA-002.)
    • If you purchased ETS Enterprise through Envoy Data or Dell, you will need to purchase a new license.
23. How does EKMS work with KTM?

    The Key Transfer Manager (KTM) client software formats the TPM-secured keys, certificates and passwords into individual migration packages and securely transmit them to the server for storage and subsequent recovery. Retrieval of the archived information requires authorized access based upon company's seucrity policy settings.

24. How do I start Key Transfer Manager?

    Under normal conditions, Key Transfer Manager automatically starts when you start Windows. It runs in the background, and if functioning properly, will display the Key Transfer Manager icon in the Windows system tray (usually the lower right-hand corner of your screen). If the icon is not present or you exited the program, you can start Key Transfer Manager using one of these methods:

    1. From the Windows Start Menu, select Start > Programs > Wave Systems Corp > Key Transfer Manager.
       
    2. If you have the Wave Systems EMBASSY Trust Suite installed, you can start the EMBASSY Trust Suite application and press the Key Transfer Manager button. To start the EMBASSY Trust Suite application, select Start > Programs > Wave Systems Corp > EMBASSY Trust Suite.
       
25. What scenarios does Key Transfer Manager (KTM) cover?

    The Trusted Platform Module (TPM) security chip generates and stores cryptographic keys in hardware for use by secure applications. Windows does not provide backup and recovery procedures for these keys. Key Transfer Manager assists in the backup and recovery of keys generated by the TPM security chip for scenarios, such as:

    1. Hard drive failure.
    2. Motherboard or TPM chip malfunction.
    3. Transfer to a new trusted PC.
    4. Recovery of certificates or keys on the original platform, should the need arise.

26. Will using Key Transfer Manager ensure that I can recover my secure data?

    Using KTM ensures that you can recover certain keys that are used to unlock your secure data. You must use another backup and restore mechanism for any data that is encrypted by these keys as KTM does not back up and restore this data.

    Some keys, however, may only be used for authentication and not encryption, so no separate data may need to be backed up. For example, to recover e-mail encrypted by TPM keys, KTM can back up and restore the key and certificate, but the encrypted e-mails must be backed up and restored through another means.

    With Document Manager, KTM can back up and restore the encryption key, but the encrypted data in the Document Manager Vault location should be backed up separately.

27. What happens if I create a key when my archive location is not available?

    The next time a key archive is initiated and your archive location is accessible, this key will be backed up. This archive can be initiated in multiple ways, as follows:

    1. By manually selecting “Archive TPM Keys…” from the KTM menu.
    2. When another key is created.
    3. By requesting a restore.
    4. When a scheduled archive operation runs on schedule

Additional Support

If you need additional information, please submit a Support Request Form. Customer Service will contact you within one business day with a response to your inquiry. To ensure quality customer service, please include your email address and a detailed description of the issue/inquiry.

Support Request Form