Key strategy

Various strategies are available for securing the tdx Volt root key.

Battery

In this key strategy, the tdx Volt key is encrypted using AES-256 in CBC mode with the passphrase given to the Battery by the owner. The encrypted key is then stored in the Battery storage.

A Battery stores configurations details required to locate and start a Volt. A passphrase is specified when the Battery is created. The Battery storage is encrypted by a key derived from the passphrase using PBKDF2-HMAC-SHA512.

Password

The tdx Volt key is encrypted using AES-256 in CBC mode with the passphrase assigned to the tdx Volt by its owner.

The difference between the 'Battery' and 'Password' strategies is that the 'Battery' strategy means that all Volts contained in the Battery will have their key encrypted by the same passphrase. The 'Password' strategy uses a passphrase unique to each **tdx Volt** to encrypt the key.

File

The ‘File’ key strategy indicates that the key is stored somewhere on a local file system. This can include, for example, a removable encrypted drive. The key can also be encrypted using a passphrase.

Hardware

The ‘Hardware’ key strategy is a placeholder for hardware-based key storage solutions.