On machines using the TPM, SAKA generates a single 256-bit EC asymmetric key pair—known as the Storage Root Key (SRK) in TPM terminology—within the TPM during its initialization. The SRK is stored inside the TPM, never leaves the TPM and is used to encrypt other objects—usually cryptographic keys. All such encrypted objects are stored on the hard disk and must be brought inside the TPM—with the proper authorization—to be decrypted. The software libraries interacting with the TPM handle this and shield applications from such details. Your applications only interact with the web services provided by the SAKA and are further shielded from these mechanical details.
SAKA instances using the TPM require three (3) Key Custodians to be physically present during the installation to initialize the hardware. Three Key Custodians are also required to remotely activate the TPM for use each time the appliance is restarted. This ensures if the appliance is ever stolen, the attacker will never find anything on the appliance that can compromise the hardware module. Key Custodians use the KCSetPINTool to activate the TPM, either locally or from remote locations; see 11 for details on KCSetPINTool.