CISSP · Question #985
The security architect is designing and implementing an internal certification authority to generate digital certificates for all employees. Which of the following is the BEST solution to securely sto
The correct answer is D. Trusted Platform Module (TPM). When designing an internal CA, private keys must be stored in a hardware-based cryptographic module that provides tamper resistance and secure key operations. The TPM is purpose-built for this function.
Question
Options
- APhysically secured storage device
- BEncrypted flash drive
- CPublic key infrastructure (PKI)
- DTrusted Platform Module (TPM)
How the community answered
(56 responses)- A16% (9)
- B9% (5)
- C4% (2)
- D71% (40)
Why each option
When designing an internal CA, private keys must be stored in a hardware-based cryptographic module that provides tamper resistance and secure key operations. The TPM is purpose-built for this function.
A physically secured storage device (e.g., a safe or locked cabinet) provides physical access control but offers no cryptographic protection against logical attacks, key extraction, or unauthorized copying of the private key data itself.
An encrypted flash drive protects data at rest from physical theft, but once the drive is mounted and decrypted by an authorized user or process, the private key is exposed in memory and vulnerable to logical attacks or malware.
PKI is the overarching framework and infrastructure for managing digital certificates and key pairs; it is not itself a storage mechanism and does not directly address how private keys are securely stored or protected.
A Trusted Platform Module (TPM) is a dedicated hardware security chip designed specifically to generate, store, and protect cryptographic keys in a tamper-resistant environment. Unlike software-based or general-purpose storage solutions, the TPM ensures private keys never leave the secure hardware boundary in plaintext, and cryptographic operations are performed within the chip itself. This makes it the gold standard for protecting CA private keys against extraction and compromise.
Concept tested: Hardware-based private key storage using TPM
Source: https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/trusted-platform-module-overview
Topics
Community Discussion
No community discussion yet for this question.