Key strategy
Various strategies are available for securing the tdx Volt root key.
Battery
In this key strategy, the tdx Volt key is encrypted using AES-256 in CBC mode with the passphrase given to the Battery by the owner. The encrypted key is then stored in the Battery storage.
A Battery stores configurations details required to locate and start a Volt. A passphrase is specified when the Battery is created. The Battery storage is encrypted by a key derived from the passphrase using PBKDF2-HMAC-SHA512.
Password
The tdx Volt key is encrypted using AES-256 in CBC mode with the passphrase assigned to the tdx Volt by its owner.
The difference between the 'Battery' and 'Password' strategies is that the 'Battery' strategy means that all Volts contained in the Battery will have their key encrypted by the same passphrase. The 'Password' strategy uses a passphrase unique to each **tdx Volt** to encrypt the key.
File
The ‘File’ key strategy indicates that the key is stored somewhere on a local file system. This can include, for example, a removable encrypted drive. The key can also be encrypted using a passphrase.
Hardware
The ‘Hardware’ key strategy is a placeholder for hardware-based key storage solutions.