2.4.3. Cryptographic Tools

💡 First Principle: Algorithms are only as secure as the systems that store and manage the keys. AES-256 is useless if the key sits in a plaintext file on the same server. Cryptographic tools provide the secure hardware and software infrastructure that makes key management trustworthy.

Trusted Platform Module (TPM) — a hardware chip on the motherboard that securely stores cryptographic keys, certificates, and passwords. TPM provides hardware-based security resistant to software attacks. Used for full-disk encryption (BitLocker stores its key in the TPM), secure boot (verifying OS integrity before loading), and hardware attestation (proving a device's configuration hasn't been tampered with). TPM operations happen inside the chip — the key never exists in system memory where malware could capture it.

Hardware Security Module (HSM) — a dedicated physical device for managing cryptographic keys. More robust than TPM: tamper-resistant (attempts to open the device destroy the keys), performs cryptographic operations internally (keys never leave the device), and purpose-built for high-volume cryptographic workloads. Used for Certificate Authority key protection, payment card processing (PCI DSS requires HSMs for PIN encryption), and enterprise key management. HSMs can be on-premises appliances or cloud-based services (AWS CloudHSM, Azure Dedicated HSM).

Key management system — software handling the full key lifecycle: generation (using cryptographically secure random number generators), distribution (secure delivery to authorized systems), rotation (periodic replacement to limit exposure), storage (encrypted, access-controlled), and destruction (secure deletion with verification). Poor key management is a common cryptographic failure point — strong algorithms with mismanaged keys provide false confidence.

Secure enclave — a hardware-protected area within a processor creating an isolated execution environment. Data processed inside the enclave is protected from the OS, hypervisor, and even physical access. Examples: Apple Secure Enclave (biometric data), Intel SGX (confidential computing), AMD SEV (encrypted VMs).

⚠️ Exam Trap: TPM = chip on the motherboard (built into the device). HSM = separate dedicated device (enterprise-grade, often rack-mounted). Both store keys in hardware, but HSMs are more robust, tamper-resistant, and designed for high-volume enterprise operations. The question's description of the hardware determines the answer.