nerdexam
(ISC)2

CISSP · Question #985

The security architect is designing and implementing an internal certification authority to generate digital certificates for all employees. Which of the following is the BEST solution to securely sto

The correct answer is D. Trusted Platform Module (TPM). When designing an internal CA, private keys must be stored in a hardware-based cryptographic module that provides tamper resistance and secure key operations. The TPM is purpose-built for this function.

Submitted by klara.se· Mar 5, 2026Security Architecture and Engineering

Question

The security architect is designing and implementing an internal certification authority to generate digital certificates for all employees. Which of the following is the BEST solution to securely store the private keys?

Options

  • APhysically secured storage device
  • BEncrypted flash drive
  • CPublic key infrastructure (PKI)
  • DTrusted Platform Module (TPM)

How the community answered

(56 responses)
  • A
    16% (9)
  • B
    9% (5)
  • C
    4% (2)
  • D
    71% (40)

Why each option

When designing an internal CA, private keys must be stored in a hardware-based cryptographic module that provides tamper resistance and secure key operations. The TPM is purpose-built for this function.

APhysically secured storage device

A physically secured storage device (e.g., a safe or locked cabinet) provides physical access control but offers no cryptographic protection against logical attacks, key extraction, or unauthorized copying of the private key data itself.

BEncrypted flash drive

An encrypted flash drive protects data at rest from physical theft, but once the drive is mounted and decrypted by an authorized user or process, the private key is exposed in memory and vulnerable to logical attacks or malware.

CPublic key infrastructure (PKI)

PKI is the overarching framework and infrastructure for managing digital certificates and key pairs; it is not itself a storage mechanism and does not directly address how private keys are securely stored or protected.

DTrusted Platform Module (TPM)Correct

A Trusted Platform Module (TPM) is a dedicated hardware security chip designed specifically to generate, store, and protect cryptographic keys in a tamper-resistant environment. Unlike software-based or general-purpose storage solutions, the TPM ensures private keys never leave the secure hardware boundary in plaintext, and cryptographic operations are performed within the chip itself. This makes it the gold standard for protecting CA private keys against extraction and compromise.

Concept tested: Hardware-based private key storage using TPM

Source: https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/trusted-platform-module-overview

Topics

#PKI#private key storage#TPM#certificate authority

Community Discussion

No community discussion yet for this question.

Full CISSP Practice