|
|
|
|
|
|
by Nextgrid
963 days ago
|
|
|
The whole machine walking off is more detectable though. You can use TPM as one factor (among many, such as the presence of the machine on the expected network and no unexpected downtimes) to obtain storage keys from a separate trusted server, using TPM remote attestation to assert the machine hasn't been tampered with in-place (by merely booting it off a compromised OS). The separate authentication server can be configured to only hand out the storage encryption key on expected reboots, so if the machine unexpectedly walks off and then powers back on that server would refuse to hand out the key, thus the stolen machine is now useless. |
|
|