TPM stands for trusted platform module. TPM also called is ISO/IEC 11889. TPM is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. A TPM is actually a microchip on the motherboard of most servers and even today’s clients. The main function of TPM is to protect security-related data. This chip provides hardware-based authentication and tamper detection, so an attacker can’t attempt to remove the chip and place it on another motherboard, or tamper with the motherboard itself to attempt to bypass the encryption.
In particular, protection of cryptographic and decryption keys. Windows Server 2016 supports both TPM v1.0, v1.2 and even vTPM (virtual TPM). The bottom line is that TPM provides the same kind of boot time protection as UEFI by Secure Boot.
Microsoft uses a solution called BDE (BitLocker Drive Encryption) to encrypt the disk. BCD also stands for Boot Configuration Database. In Windows Server 2016, about 500 MB of space is allocated from the Reserved Partition to BCD.
In encryption area, TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses. (Source: docs.microsoft.com)
The first step is to install the BDE feature. BDE can be configured with or without TPM, which second option is not recommended by security experts.
TPM Uses for:
- Platform integrity: Users demand that applications and platforms strike a delicate balance between hardware and software utility.
- Disk encryption: This type of encryption can mitigate risks of data exposure from loss or theft of stored data. All current operating systems provide disk encryption capability.
- Password protection: It is to implement or enable a password on a computer, network device, online service, file, user account, or data. In other words, password protection allows you to protect your data set by assigning it a password.
- Digital rights management: DRM is the use of technology and systems to copyright protection for digital media. DRM represents the controls by which you can prevent someone from copying or printing or editing or otherwise making available your privileged information to other people.
- Protection and enforcement of software licenses: Software vendors need more software protection. In fact, they most are actually looking for the appropriate compliance controls to keep the majority of their software licenses. Software license enforcement can be designed to create a continuum of possible outcomes for software that is used outside the bounds of the software license agreement.
- Prevention of cheating in online games: One of the most important issues in the world of online gaming is to prevent people from cheating – because cheating makes competition unfair. TPM can work here too.
How can you determine if your computer has TPM available? There are some ways. Easiest way is press Windows + R to open the Run dialog window. Then, type tpm.msc into it and press Enter.
This opens the Trusted Platform Module (TPM) Management. If TPM is installed, a message appears with the text: “The TPM is ready for you” but if you see a “Compatible TPM cannot be found” message instead, your computer does not have a TPM or it’s turned off in the BIOS/UEFI.
TPM has two very different version:
- 2: This version uses “TrouSerS” TSS (TCG software stack) by IBM. Windows 10 and Windows Server 2016 support TPN v1.2 until their version 1607. Newer versions of these two operating systems do not support TPM v1.2. All released versions of Windows Server 2019 (as of August 2020) support this TPM’s version.
- 0: This version allows direct access via /dev/tpm0 (one client at a time), managed access through the tpm2-abrmd resource manager daemon, or kernel-managed access via /dev/tpmrm0. Windows 10, Windows Server 2016 and Windows Server 2019 support this TPM’s version.
- A random number generator: Generating, store, and limit the use of cryptographic keys
- Facilities for the secure generation of cryptographic keys for limited uses.
- platform integrity by taking and storing security measurements
- Remote attestation: Creates a nearly unforgeable hash key summary of the hardware and software configuration. The software in charge of hashing the configuration data determines the extent of the summary. This allows a third party to verify that the software has not been changed.
- Binding: Encrypts data using the TPM bind key, a unique RSA key descended from a storage key. Using TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself.
- Sealing: Similar to binding, but in addition, specifies the TPM state for the data to be decrypted (unsealed).
- Computer programs can use a TPM to authenticate hardware devices, since each TPM chip has a unique and secret Endorsement Key (EK) burned in as it is produced. Pushing the security down to the hardware level provides more protection than a software-only solution.