What is a TPM?



A TPM, or Trusted Platform Module, is a small chip, which sometimes comes soldered onto a computers motherboard or as a separate additional chip, which can be physically installed into the motherboards TPM slot. The TPM is responsible for generating secure keys, useable in a number of different cryptographic scenarios, including but not limited to:
  • Secure random number generation
  • Key generation
  • Hardware identification hash generation
  • DRM (Digital Rights Management)

Physical Security

A TPM is designed to be tamper-proof. Once the module is installed, it cannot be removed without damaging the module itself or the motherboard. This makes it practically impossible for an attacker to remove the chip and read its data. If the module is damaged or fails for any other reason, all keys that have been created using the TPM will be permanently lost.

Disk Encryption

Disk encryption utilities, such as dm-crypt for Linux servers and BitLocker for Windows serversare able to utilise the TPM to protect any keys used to encrypt storage devices attached to the computer. For example, BitLocker can be used to provide full disk encryption on almost any storage device. It does this by storing part of the encryption key on the computer itself and another part on the TPM. This key is then bound to the Windows login passwords. Attempting to read the storage device in any other computer will fail, as it will be missing the TPM part of the encryption key. Similarly, attempting to read the drive data via a boot disk or similar method will fail as it will be missing the part of the key bound to the Windows accounts. Storage devices encrypted with this method are secure at rest. Securing data in transit is outside the scope of this article.

Recovery

When setting up disk encryption using a TPM, the encryption software will usually provide you with a recovery key. This key is only available during the encryption setup and cannot be provided at any other time. The key (if saved) can be used to recovery an encrypted drive after a motherboard or TPM failure. Generally, these keys are stored on other, secure devices, such as USB storage devices or secure printed documents. How (and if) these keys are saved will depend entirely on your organisations procedures and policies.

Closing

Data security is a vast and highly complicated topic, but a TPM is a relatively simple and inexpensive tool to secure your data and provide piece of mind that even if your computer is stolen, your data cannot be read by 3rd parties. If you have any questions, please contact our support team on 0808 1 333 247 or click on the button below to submit a support ticket.
 
Submit a Support Ticket

cwcs


CWCS are here to look after your online infrastructure, so you can look after your business!



Friday, March 2, 2018





« السابق