Microsoft Subnet An independent Microsoft community View more

What is TPM?

A brief introduction into what TPM is.

I was working on a chapter for the new Windows Server 2008 R2 Unleashed book. Anyhow, I was writing a bit about BitLocker. While trolling through that section it reminded me that I still get tons of questions about what a TPM is. So… here you go:

The term Trusted Platform Module (TPM) is used to refer to both the name of a published specification by the Trusted Computing Group for a secure cryptoprocessor and the implementation of that specification in the form of a TPM chip. A TPM chip’s main purpose in life is the secure generation of cryptographic keys, the protection of those keys, and the ability to act as a hardware pseudo-random number generator. In addition, a TPM chip can also provide remote attestation and sealed storage. Remote attestation is a feature in which a hash key summary is created based on a machines current hardware and software configuration. Typically, remote attestation is used by third-party applications such as BitLocker to ensure a machine’s state has not been tampered with. Sealed storage is used to encrypt data such that it may only be decrypted once the TPM chip releases the appropriate decryption key. This release is only done by TPM chip once the required authenticator for that data has been provided. Lastly, a TPM chip can also be used to authenticate hardware devices.

In BitLocker, a TPM chip is used to protect the encryption keys and provide integrity authenti-cation for a trusted boot pathway (i.e. BIOS, boot sector, etc.). This type of TPM supported protection is only preformed when BitLocker is in either "Transparent operation mode" and "User authentication mode". When in either of these modes, BitLocker uses the TPM chip to detect if there unauthorized changes to the pre-boot environment (trusted boot pathway protection) such as the BIOS and MBR. If unauthorized changes were made, BitLocker will then request that a recovery key be provided before Volume Master Key can be decrypted and bootup of the machine can continue.

If you like this, check out some other posts from Tyson:

Or if you want, you can also check out some of Tyson's latest publications:

Lastly, visit the Microsoft Subnet for more news, blogs, and opinions from around the Internet. Or, sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert)

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies