TPM module - what is it used for?
-
From the TPM Wiki; TPM is defined as Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.
From another source it's explained as:
A Trusted Platform Module (TPM) is a specialized chip on an endpoint device that stores RSA encryption keys specific to the host system for hardware authentication.
-
The TL;DR is it's a chip which is supposed to protect your system from unauthorized access, but has been marred with criticism since it's inception and implementation.
-
@Pete-S said in TPM module - what is it used for?:
So what is it usually used for?
Primarily marking up the price and backdoorsIs it something you should make use of, if you have it?
How many times has your BIOS been compromised?Should you get it, if you don't have it?
If you're asking, then definitely. I have them for sale at uselesscrap.co.lan. -
I know with a Windows 10 desktop using Bitlocker, TPM makes it possible for us to not have to enter a password to boot into Windows. I do believe Hyper-V also utilize TPM has well.
-
@black3dynamite said in TPM module - what is it used for?:
I know with a Windows 10 desktop using Bitlocker, TPM makes it possible for us to not have to enter a password to boot into Windows. I do believe Hyper-V also utilize TPM has well.
Yeah, that's what TPM does, it's an hardware authentication mechanism so that the system only "runs as intended" (on the hardware it was setup).
Much like public and private ssh keys.
-
@black3dynamite said in TPM module - what is it used for?:
I know with a Windows 10 desktop using Bitlocker, TPM makes it possible for us to not have to enter a password to boot into Windows. I do believe Hyper-V also utilize TPM has well.
Not using a password to unlock the TPM seems to make that situation almost, I'm saying almost, pointless.
-
@Dashrender said in TPM module - what is it used for?:
@black3dynamite said in TPM module - what is it used for?:
I know with a Windows 10 desktop using Bitlocker, TPM makes it possible for us to not have to enter a password to boot into Windows. I do believe Hyper-V also utilize TPM has well.
Not using a password to unlock the TPM seems to make that situation almost, I'm saying almost, pointless.
Agreed.
From system owner perspective:
Bad guy steals just hard drives, no worries. Owner safe.
Bad guy steals entire systems, big worries. TPM is useless and Owner screwed. -
@Dashrender said in TPM module - what is it used for?:
@black3dynamite said in TPM module - what is it used for?:
I know with a Windows 10 desktop using Bitlocker, TPM makes it possible for us to not have to enter a password to boot into Windows. I do believe Hyper-V also utilize TPM has well.
Not using a password to unlock the TPM seems to make that situation almost, I'm saying almost, pointless.
No, the point is to tie bitlocker to that physical hardware. That is not useless.
If you pull the drive, then you will not be able to decrypt it. It is not supposed to be the be all, end all of security.
-
@pmoncho said in TPM module - what is it used for?:
Bad guy steals just hard drives, no worries. Owner safe.
This is a big deal as this is how most people manage to make off with data.
-
@pmoncho said in TPM module - what is it used for?:
Bad guy steals entire systems, big worries. TPM is useless and Owner screwed.
Only if you choose no password, in which case you can just reword that to "bypass this feature." TPM in a mobile device is meant to be used with a password. TPM in a server it makes sense that it is optional.
-
@scottalanmiller said in TPM module - what is it used for?:
@pmoncho said in TPM module - what is it used for?:
Bad guy steals entire systems, big worries. TPM is useless and Owner screwed.
Only if you choose no password, in which case you can just reword that to "bypass this feature." TPM in a mobile device is meant to be used with a password. TPM in a server it makes sense that it is optional.
Well my original comment about almost useless was in response to a post about Windows 10 Bitlocker... A desktop is semi portable, at least compared to most servers, LOL.
-
@scottalanmiller said in TPM module - what is it used for?:
@pmoncho said in TPM module - what is it used for?:
Bad guy steals just hard drives, no worries. Owner safe.
This is a big deal as this is how most people manage to make off with data.
You hear about HD's being stolen, but not the whole unit?
-
@scottalanmiller said in TPM module - what is it used for?:
@pmoncho said in TPM module - what is it used for?:
Bad guy steals just hard drives, no worries. Owner safe.
This is a big deal as this is how most people manage to make off with data.
Should have mentioned, if the TPM module is put to use with encryption, taking the drives is useless. The need the entire system.
-
@Dashrender said in TPM module - what is it used for?:
@scottalanmiller said in TPM module - what is it used for?:
@pmoncho said in TPM module - what is it used for?:
Bad guy steals just hard drives, no worries. Owner safe.
This is a big deal as this is how most people manage to make off with data.
You hear about HD's being stolen, but not the whole unit?
I have. 2U Rack unit They bad guys didn't have a screw driver handy. Pressed the power button, pop the drives and out the door.
-
@pmoncho said in TPM module - what is it used for?:
@Dashrender said in TPM module - what is it used for?:
@scottalanmiller said in TPM module - what is it used for?:
@pmoncho said in TPM module - what is it used for?:
Bad guy steals just hard drives, no worries. Owner safe.
This is a big deal as this is how most people manage to make off with data.
You hear about HD's being stolen, but not the whole unit?
I have. 2U Rack unit They bad guys didn't have a screw driver handy. Pressed the power button, pop the drives and out the door.
LOL - stealing just to steal it sounds like - unless they were targeted...
-
@Dashrender said in TPM module - what is it used for?:
@pmoncho said in TPM module - what is it used for?:
@Dashrender said in TPM module - what is it used for?:
@scottalanmiller said in TPM module - what is it used for?:
@pmoncho said in TPM module - what is it used for?:
Bad guy steals just hard drives, no worries. Owner safe.
This is a big deal as this is how most people manage to make off with data.
You hear about HD's being stolen, but not the whole unit?
I have. 2U Rack unit They bad guys didn't have a screw driver handy. Pressed the power button, pop the drives and out the door.
LOL - stealing just to steal it sounds like - unless they were targeted...
It was a lawyers office so I believe it was.
-
OK, so it has some value in Windows.
What's the operation of TPM on linux then? -
@Pete-S said in TPM module - what is it used for?:
OK, so it has some value in Windows.
What's the operation of TPM on linux then?Same. Bitlocker is just one of the options on Windows. Linux has similar options. They were just using an example, nothing about TPM is related to Windows.
-
@Dashrender said in TPM module - what is it used for?:
@scottalanmiller said in TPM module - what is it used for?:
@pmoncho said in TPM module - what is it used for?:
Bad guy steals just hard drives, no worries. Owner safe.
This is a big deal as this is how most people manage to make off with data.
You hear about HD's being stolen, but not the whole unit?
That's the norm, yes. Anyone looking for data, that's what they do. That's always the fear in datacenters. A 2.5" drive is "easy" to steal. It is loose, and tiny, fits in a pocket or an arm pit. A server is essentially impossible to steal from any real location.
-
@scottalanmiller said in TPM module - what is it used for?:
That's the norm, yes. Anyone looking for data, that's what they do. That's always the fear in datacenters. A 2.5" drive is "easy" to steal. It is loose, and tiny, fits in a pocket or an arm pit. A server is essentially impossible to steal from any real location.
Running out of a DC with a DL380 doesn't happen. Someone bulk sells the server on eBay does.
Real encryption keeps the keys in a remote KIMP server (what you'll see for any DISA/STIG system etc).
Realistically you use a TPM for detecting supply chain attacks (validating firmware, validating boot loader, EFI VIBs etc) is what ESXi uses it for.
https://blogs.vmware.com/vsphere/2018/04/vsphere-6-7-esxi-tpm-2-0.html
