The Trusted Platform Module (TPM) provides secure key generation and storage for SCEP operations. When TPM is functioning correctly, private keys remain inside the TPM and cannot be extracted. The system stores only a reference file that points to the TPM-protected key.

In this scenario, the private key file (client.key) is located at:

/setup/cacerts/scep/client.key

This file exists regardless of whether the key is stored on disk or in TPM. Its contents determine the actual storage location.

How to Identify Where the Key Is Stored

Check the first line of the client.key file:

• Key stored on disk:

  -----BEGIN RSA PRIVATE KEY-----
  

• Key stored in TPM:

  -----BEGIN TSS2 PRIVATE KEY-----
  

  This indicates that the file contains only a reference to the TPM-stored key, not the key material itself.

Data Exposure During Device Recycling

If a device is recycled or reused without proper data sanitization, certificate data—including private keys stored on disk—may be recoverable. This is a security risk if the hard drive is not wiped before disposal.

Steps for Permanent Deletion

• Local Factory Reset removes private key material stored on the hard drive.

• Remote Disk Wipe options are available for managed devices (see Wiping the data disk documentation).

Additional Information

This setup uses standard OpenSSL with the TSS engine. More technical details can be found in the official OpenSSL documentation.

TPM is designed to securely generate and store private keys during SCEP enrollment, ensuring that key material never leaves the hardware module. If a private key appears on the device’s hard drive, this indicates that TPM may not be used as intended. This article explains how TPM-based key storage works, how to verify where the key is stored, and what to consider regarding data security and device recycling.