I was working on a chapter for the new Windows Server 2008 R2 Unleashed book. Anyhow, I was writing a bit about BitLocker. While trolling through that section it reminded me that I still get tons of questions about what a TPM is. So… here you go:
The term Trusted Platform Module (TPM) is used to refer to both the name of a published specification by the Trusted Computing Group for a secure cryptoprocessor and the implementation of that specification in the form of a TPM chip. A TPM chip’s main purpose in life is the secure generation of cryptographic keys, the protection of those keys, and the ability to act as a hardware pseudo-random number generator. In addition, a TPM chip can also provide remote attestation and sealed storage. Remote attestation is a feature in which a hash key summary is created based on a machines current hardware and software configuration. Typically, remote attestation is used by third-party applications such as BitLocker to ensure a machine’s state has not been tampered with. Sealed storage is used to encrypt data such that it may only be decrypted once the TPM chip releases the appropriate decryption key. This release is only done by TPM chip once the required authenticator for that data has been provided. Lastly, a TPM chip can also be used to authenticate hardware devices.
In BitLocker, a TPM chip is used to protect the encryption keys and provide integrity authenti-cation for a trusted boot pathway (i.e. BIOS, boot sector, etc.). This type of TPM supported protection is only preformed when BitLocker is in either "Transparent operation mode" and "User authentication mode". When in either of these modes, BitLocker uses the TPM chip to detect if there unauthorized changes to the pre-boot environment (trusted boot pathway protection) such as the BIOS and MBR. If unauthorized changes were made, BitLocker will then request that a recovery key be provided before Volume Master Key can be decrypted and bootup of the machine can continue.
If you like this, check out some other posts from Tyson:
Or if you want, you can also check out some of Tyson's latest publications:
With more than ten years of experience in IT, Tyson Kopczynski has become a specialist in Active Directory, Information Assurance, Windows automation, PKI, and IT security practices. Tyson is also the founding author of the Windows PowerShell Unleashed series and has been a contributing author for such books as Microsoft Internet Security and Acceleration (ISA) Server 2006 Unleashed and Microsoft Windows Server 2008 R2 Unleashed. He has also written many detailed technical papers and guides covering various technologies. As a consultant at Convergent Computing, Tyson works with and provides feedback for next generation Microsoft technologies since their inception and has also played a key role in expanding the automation and security practices at CCO. Tyson also holds such certifications as the Certified Information Systems Security Professional (CISSP), the SANS Security Essentials Certification (GSEC) and SANS Certified Incident Handler (GCIH), and the MCTS (Application Platform, Active Directory, and Network Infrastructure).