Key strategy

Various strategies are available for securing the tdx Volt root key.

Hardware

This strategy enables the use of a PKCS#11-compliant hardware security module (HSM) to secure the tdx Volt key. The encryption key is never exposed outside the HSM, providing a high level of security.

For more information about configuring the tdx Volt to use a PKCS#11 HSM, see the PKCS#11 reference.

Battery

In this key strategy, the tdx Volt key is encrypted using AES-256 in CBC mode with the passphrase given to the Battery by the owner. The encrypted key is then stored in the Battery storage.

A Battery stores configurations details required to locate and start a Volt. A passphrase is specified when the Battery is created. The Battery storage is encrypted by a key derived from the passphrase using PBKDF2-HMAC-SHA512.

Password

The tdx Volt key is encrypted using AES-256 in CBC mode with the passphrase assigned to the tdx Volt by its owner.

The difference between the 'Battery' and 'Password' strategies is that the 'Battery' strategy means that all Volts contained in the Battery will have their key encrypted by the same passphrase. The 'Password' strategy uses a passphrase unique to each **tdx Volt** to encrypt the key.

File

The ‘File’ key strategy indicates that the key is stored somewhere on a local file system. This can include, for example, a removable encrypted drive. The key can also be encrypted using a passphrase.