I was working on a chapter for the new Windows Server 2008 R2 Unleashed book. Anyhow, I was writing a bit about BitLocker. While trolling through that section it reminded me that I still get tons of questions about what a TPM is. So… here you go:
The term Trusted Platform Module (TPM) is used to refer to both the name of a published specification by the Trusted Computing Group for a secure cryptoprocessor and the implementation of that specification in the form of a TPM chip. A TPM chip’s main purpose in life is the secure generation of cryptographic keys, the protection of those keys, and the ability to act as a hardware pseudo-random number generator. In addition, a TPM chip can also provide remote attestation and sealed storage. Remote attestation is a feature in which a hash key summary is created based on a machines current hardware and software configuration. Typically, remote attestation is used by third-party applications such as BitLocker to ensure a machine’s state has not been tampered with. Sealed storage is used to encrypt data such that it may only be decrypted once the TPM chip releases the appropriate decryption key. This release is only done by TPM chip once the required authenticator for that data has been provided. Lastly, a TPM chip can also be used to authenticate hardware devices.
In BitLocker, a TPM chip is used to protect the encryption keys and provide integrity authenti-cation for a trusted boot pathway (i.e. BIOS, boot sector, etc.). This type of TPM supported protection is only preformed when BitLocker is in either "Transparent operation mode" and "User authentication mode". When in either of these modes, BitLocker uses the TPM chip to detect if there unauthorized changes to the pre-boot environment (trusted boot pathway protection) such as the BIOS and MBR. If unauthorized changes were made, BitLocker will then request that a recovery key be provided before Volume Master Key can be decrypted and bootup of the machine can continue.
If you like this, check out some other posts from Tyson:
- When a computer science degree matters, and when it doesn't
- Since when did cloud computing become/need a manifesto?
- Why would one phish using a Certificate Authority (CA) as bait?
- Would I trust you, if everyone else trusted you?
- Here is a good question: Is scripting programming or just systems administration?
- PowerShell boy and the case of the missing cmdlets!
- Fun with PowerShell 2.0 Eventing!
- Creating a custom 404 page to handle link redirection for ASP.NET web applications
Or if you want, you can also check out some of Tyson's latest publications:
- Windows PowerShell Unleashed (2ndEdition)
- Windows Server 2008 Unleashed (Yes, I did help on this book)
Lastly, visit the Microsoft Subnet for more news, blogs, and opinions from around the Internet. Or, sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert)