A method for restricting access to an encryption key of an encrypted file system (EFS), whereby access is provided only when a computer system is booted in a trusted state. The EFS encrypts the files within a TPM chip according to TCPA specifications and simultaneously creates the encryption key, which is also stored in the TPM. The key is sealed to one or more platform control register (PCR) states (i.e., the TPM will export the key only when the PCRs are in a pre-defined state.). The original PCR states are modified during boot up of the computer system via a secure hashing algorithm, which extends a value of one PCR to a next PCR at each stage of the boot process and then hashes the value with the remaining content of the next PCR. When the system boot process is completed and before control passes to the user, the values within the PCRs are compared to values stored in a PCR table within the TPM, and the encryption key is exported to the OS kernel only when the PCR values match the table values. The control code of the TPM chip decrypts and exports the key only if the value of each and every PCR matches its corresponding table value. A complete match indicates that the computer system has completed a trusted boot sequence.