A trusted platform module, or TPM (trusted platform module), is a separate microchip on a computer's motherboard that performs a specific range of tasks related to cryptography and computer security.
For example, using the TPM cryptoprocessor you can encrypt a computer hard drive. Of course, the central processor can do this, but then it will have to perform more tasks, and the encryption and decryption speed will be much lower. Hardware-based encryption in the TPM occurs with virtually no performance loss.
Decryption is sometimes incorrectly called deciphering. The difference between them is that when decrypting, you know the algorithm and secret key with which the data is encrypted, but when decrypting, you do not.
TPM can also protect credentials and verify programs running on the system. Prevents infection by rootkits and bootkits (types of malware that penetrate the computer before the operating system boots or hide their presence in the system and therefore cannot be recognized by the system), ensuring that the computer's configuration is not changed without the user's knowledge.
In addition, each TPM cryptographic module has a unique identifier that is written directly into the chip and cannot be changed. Therefore, the cryptochip can be used for authentication when accessing a network or any application.
TPM can generate strong encryption keys when required by the operating system (OS).
But before you can use the TPM, it needs to be configured. Setting up the module comes down to a few simple steps.
- First, the chip must be activated in the computer's BIOS (if it is not activated).
- Secondly, you need to become its owner at the operating system level.
Let's look at these steps in more detail.
1 Enabling the TPM in the computer BIOS
To enable the module, go to the BIOS and go to the security section. Although the BIOS can vary significantly from computer to computer, as a rule, the section with security settings is called "Security". There should be an option in this section called "Security Chip".
The module can be in three states:
- Disabled.
- Enabled and not activated (Inactive).
- Enabled and enabled (Active).
In the first case, it will not be visible in the operating system, in the second, it will be visible, but the system will not use it, and in the third, the chip is visible and will be used by the system. Set the status to "active".
You can also clear old keys generated by the chip in the settings.
Clearing the TPM can come in handy if you want to sell your computer, for example. Please note that if you erase the keys, you will not be able to recover the data encrypted by these keys (unless, of course, you encrypt your hard drive).
Now save the changes ("Save and Exit" or F10 key) and restart the computer.
After your computer boots, open Device Manager and make sure that the trusted module appears in the list of devices. It should be in the "Security Devices" section.
2 Initializing the TPM on Windows
All that remains is to initialize the chip in the operating system. To do this, you need to open the TPM module management snap-in. Click the buttons Windows+R(the “Run” window will open), enter tpm.msc in the input field and press “Enter”. The snap-in will start "Managing the Trusted Platform Module (TPM) on the local computer".
Here, by the way, you can read additional information - what TPM is, when you need to turn it on and off, change the password, etc.. A good series of articles dedicated to TPM is on the Microsoft website.
On the right side of the snap-in there is an action menu. Click "Initialize TPM...". If this option is not active, then your chip has already been initialized. If it was not initialized by you, and you do not know the owner’s password, then it is advisable to reset and clear the module’s memory, as described in the previous paragraph.
When the TPM Initialization Wizard starts, it will prompt you to create a password. Select the Automatically generate password option.
The TPM initialization program will generate a password. Save it as a file or print it. Now click the “Initialize” button and wait a bit.
Upon completion, the program will report successful module initialization. After initialization is complete, all further actions with the module - disabling, cleaning, data recovery in case of failures, resetting the lock - will only be possible using the password that you just received.
Now the initialization action has become inactive, but it is now possible to disable the TPM, change the owner password and reset the module lock if this happens (the module locks itself to prevent fraud or attack).
Actually, this is where the management capabilities of the TPM module end. All further operations that will require the capabilities of the chip will occur automatically - transparent to the operating system and invisible to you. All this must be implemented in software. More recent operating systems, such as Windows 8 and Windows 10, use TPM capabilities more widely than older operating systems.
This walkthrough provides the necessary instructions for using Trusted Platform Module (TPM) services in a test environment.
What are TPM services?
TPM services are a set of new capabilities available in Microsoft®Windows Vista™ and Windows Server® “Longhorn”. These services are used to manage the TPM, which provides security for your computer. The TPM services architecture provides a framework for interoperability with hardware security by sharing the TPM at the application level.
What is a TPM module?
A Trusted Platform Module (TPM) is a chip designed to implement core security functions, primarily through the use of encryption keys. The TPM module is usually installed on the motherboard of a desktop or laptop computer and communicates with the rest of the system components via the system bus.
Computers equipped with a TPM have the ability to create cryptographic keys and encrypt them in such a way that they can only be decrypted by the TPM. This process, often called "wrapping" a key or "binding" a key, helps protect the key from disclosure. Each TPM has a master hidden key, called the Storage Root Key (SRK), which is stored within the TPM itself. The private part of the key created in the TPM will never be accessible to any other system component, software, process, or user.
Computers equipped with a TPM can also create keys that are not only encrypted, but also tied to a specific system configuration. This type of key can only be decrypted if the characteristics of the platform on which they are trying to decrypt it match the one on which this key was created. This process is called "sealing" the key in the TPM. Decrypting it is called “unsealing”. The TPM can also print and print data created outside the TPM. By using a sealed key and software such as BitLocker™ Drive Encryption, you can ensure that data is locked until it can be transferred to a computer with the appropriate hardware or software configuration.
When using the TPM, the private portion of the key pairs is stored outside of memory, which the operating system can access. Keys can be sealed by the TPM, with an accurate decision about whether the system is secure being made before the keys are printed and ready for use. Because the TPM uses its own firmware and logic to process instructions, its operation is independent of the operating system. Thanks to this, it is protected from possible vulnerabilities of external software.
Who is this guide intended for?
This manual is intended for:
- IT specialists involved in planning and analysis of information infrastructure, evaluating the functionality of the product.
- Specialists involved in early implementation of the product.
- Security architects responsible for implementing the trustworthy computing concept.
In this guide
Requirements for using TPM services
We recommend that you first perform all the steps described in this guide in a test environment. This manual should be considered as a separate document. It should not be considered a comprehensive guide to deploying specific Windows Vista or Windows Server "Longhorn" features, nor should it be used without reference to the accompanying documentation provided in .
Prepare a test environment to explore how TPM services work
To study TPM services, you need a test environment, which consists of a computer connected to an isolated network through a conventional hub or layer 2 switch. The computer must be running the Windows Vista operating system and have a compatible TPM (version 1.2) and a BIOS that meets the Trusted Computing Group (TCG) specification. It is also recommended to use a portable USB storage device. When setting up a network for a test environment, you should use a private IP address range.
Common Use Cases for TPM Services
This guide covers the following scenarios for using TPM services:
Note
The three scenarios presented in this guide are designed to help the administrator understand the capabilities provided by TPM services in Windows Vista. These scripts provide the basic information and procedures necessary for administrators to begin the process of configuring and deploying TPM-equipped computers on their networks. The information and procedures required for additional or advanced configuration of TPM services are not included in this guide.
Scenario 1: TPM initialization
This script details the procedure for initializing the TPM on a computer. The initialization process involves enabling the TPM and assigning its owner. This script is written for local administrators who are responsible for configuring computers equipped with a TPM module.
Although Windows Vista supports remote initialization of the TPM, this operation typically requires an administrator to be physically present at the computer. If the computer was delivered with the TPM module already initialized, personal presence is not required. Information about remote provisioning and the procedures required to do so are not included in this manual. TPM services use a WMI class that allows you to perform the procedures described in this section using scripts. Information about writing scripts to perform these tasks is also not included in this guide.
Steps to Initialize TPM
To initialize the TPM module installed on your computer, you must complete the following steps:
Step 1: Initialize the TPM
In order for the TPM to protect your computer, it must first be initialized. This section describes how to initialize the TPM installed on your computer.
Windows Vista-compliant computers have functionality built into the BIOS that makes it easy to initialize the TPM using the TPM Initialization Wizard. When you run the TPM Initialization Wizard, you can determine whether the TPM installed on your computer has been initialized or not.
The following procedure will walk you through the steps of initializing a TPM using the TPM Initialization Wizard.
Note
To perform the procedure described below, you must be logged on to the computer equipped with the TPM module with administrator rights.
To run the TPM Initialization Wizard and initialize the TPM, follow these steps:
On the menu Start select item All programs, then Standard, then Execute.
Enter tpm.msc in field Open, then press the key Enter.
Continue "Additional sources of information"
The console will be displayed Managing the Trusted Platform Module (TPM) on the local computer.
On the menu Action select team Initialize TPM . This will launch the TPM Initialization Wizard.
Click the button To restart a computer, then follow the on-screen instructions provided by the BIOS.
Note. The messages displayed by the BIOS and the required user actions may vary depending on the hardware manufacturer.
After the reboot, a notification will be displayed on the screen, which requires the user's personal presence to respond to. This ensures that the TPM is being initialized by the user and not by malicious software.
If a dialog box appears User Account Control, make sure that the proposed action matches what you requested, then click the button Continue. For more information please refer to the section "Additional sources of information" located at the end of this document.
Click Automatically prepare module TPM to assign owner (recommended).
Step 2: TPM Owner Assignment
Before a TPM can be used to secure your computer, you must assign an owner to the TPM. When assigning a TPM module owner, you are required to provide a password. The password ensures that only the authorized owner of the TPM can access and operate it. The password is also used to disable the TPM if you no longer want to use it, and to clear the TPM if the computer is being disposed of.
The following procedure will allow you to become the owner of the TPM module.
The steps below will guide you through assigning a TPM owner using the TPM Initialization Wizard.
Note
To assign a TPM owner, follow these steps:
Attention. Don't lose your password. If you lose your password, you will not be able to make any administrative changes until you clear the TPM.
Scenario 2: Turn off and clear the TPM
This scenario addresses two common tasks that administrators will encounter when reconfiguring or disposing of a computer equipped with a TPM. These tasks are turning off the TPM and cleaning it.
Turning off the TPM
Some administrators may decide that not every computer on their network that is equipped with a TPM module needs the additional protection that this module provides. In this situation, we recommend that you ensure that the TPMs on the affected computers are disabled. The following procedure will walk you through the entire process of shutting down the TPM.
Note
An administrator does not need to be present in person to disable the TPM.
To perform the procedure described below, you must be logged on to the computer equipped with the TPM module with local administrator rights.
To turn off the TPM, follow these steps:
On the menu Startselect paragraph All programs, then Standard, then Execute.
Enter tpm.msc in field Open and press the key Enter. The console will be displayed
If a dialog box appears User Account Control, make sure that the proposed action matches what you requested, then click the button Continue. For more information please refer to the section "Additional sources of information" located at the end of this document.
On the menu Actions select team Disable TPM.
In the dialog box Turn off the security hardware for the TPMYou take the method of entering the password and turning off the TPM module:
If you have removable media on which you previously saved the TPM owner password, insert it into the reader and press . In the dialog box, click Review, Open, then press the button.
Enter your password (including hyphens) and click the button Disable TPM.
No TPM owner password and follow the instructions to turn off the TPM without entering a password.
Note. Turning off the TPM without entering the TPM owner password and performing a limited number of administrative tasks requires an administrator to be present at the computer.
The TPM status is displayed in the State TPM management console.
Cleaning the TPM
Clearing the TPM removes ownership of the TPM and disables the TPM. This action must be performed if a computer equipped with a TPM module needs to be disposed of, or if the TPM owner password is lost. The procedure below will guide you through the entire process of cleaning the TPM.
Note
An administrator does not need to be present in person to clean the TPM.
To perform the procedure described below, you must be logged on to the computer equipped with the TPM module with local administrator rights.
To clean the TPM, follow these steps:
On the menu Startselect item All programs, then Standard, then Execute.
Enter tpm.msc in field Open and press the key Enter. The console will be displayed Manage the Trusted Platform Module (TPM) on the local computer.
If a dialog box appears User Account Control, make sure that the proposed action matches what you requested, then click the button Continue. For more information please refer to the section "Additional sources of information" located at the end of this document.
Attention. Clearing the TPM will reset all settings to factory defaults and will disable the TPM. In this case, you will lose all the created keys, as well as the data that was protected by these keys.
On the menu Actions select team Clear TPM. If the TPM is disabled, follow the procedure in section "Step 1. Initialize the TPM module", to reinitialize it before clearing it.
In the dialog box Clear the security hardware for the TPMselect method entering the password and clearing the TPM module:
If you have removable media on which you previously saved the TPM owner password, insert it into the reader and press There is an archive file with the TPM owner password. In the dialog box Select the backup file with the TPM owner password click the button Review , to select a file with the extension .tpm located on removable media, then click the button Open, then press .
If you do not have removable media with a saved password, select Manually enter TPM owner password. In the dialog box that appears Enter your TPM owner password enter your password (including hyphens) and press Clear TPM.
If you do not know the TPM owner password, select No TPM owner password and follow the instructions to clear the TPM without entering a password.
Note. To clear the TPM and perform a limited number of administrative tasks without entering the TPM owner password, an administrator must be present at the computer.
The TPM module status is displayed in the field State TPM management console.
Scenario 3: Blocking and allowing TPM commands
This script describes how to block and enable TPM commands. Local administrators can perform this task during the initial configuration of a TPM-equipped computer or during a configuration change. TPM commands can be managed through a subnode of the TPM Management Console called Team management. Here administrators can view the commands available for use with the TPM. They can also block or allow the use of these commands, within the limits of Group Policy settings and local computer settings. The following procedure walks you through the entire process of blocking and enabling TPM commands.
Note
To perform the procedure described below, you must be logged on to the computer equipped with the TPM module with local administrator rights.
To block and allow TPM commands, follow these steps:
On the menu Start select item All programs, then Standard, then Execute.
If a dialog box appears User Account Control, make sure that the proposed action matches what you requested, then click the button Continue. For more information please refer to the section "Additional sources of information" located at the end of this document
Enter tpm.msc in field Open, then press the key Enter.
In the console tree, expand the node Team management. This will display a list of TPM commands.
Select from the list the command you want to block or allow to use.
On the menu Actions click Block selected command or Allow execution of the selected commanddepending on need.
Note. Local administrators cannot allow TPM commands that are blocked by Group Policy. TPM commands that are listed by default in the MMC block list will also not be allowed until appropriate changes are made to Group Policy to override the default block list.
Bug Logging and Feedback
As TPM services provide new capabilities in Windows Server "Longhorn" and Windows Vista, we are very interested in hearing your feedback about using them, any problems you may encounter, and the usefulness of the available documentation.
When you encounter errors, follow the instructions on the Microsoft Connect website. We are also interested in receiving your general suggestions and feedback regarding TPM services.
You can send your feedback and general questions regarding TPM services to the following email address: mailto: [email protected]?subject=Windows Vista Beta 2 Trusted Platform Module Services Step by Step Guide .
Additional sources of information
The following sources provide additional information about TPM services:
For support, visit the Microsoft Connect website.
To access TPM Services newsgroups, follow the directions provided on the Microsoft Connect website.
The BitLocker Drive Encryption team maintains a blog on Microsoft TechNet.
Support within the framework of a special affiliate program Technology Adoption Program
If you are a beta tester participating in the Technology Adoption Program (TAP), you can also contact your assigned Microsoft Product Team representative for assistance.
We got a little introduction to the TPM module when we were introduced to . Today we will expand our knowledge about it a little and talk about how it can be controlled.
TPM module management
Managing the TPM module using the operating system ends with its initial configuration. The TPM chip performs all calculations on its own, outside the operating system’s access, which allows it not to be afraid of operating system vulnerabilities. The only tool for managing the TPM on Windows client operating systems is the console TPM Management. This console can be called from ( tpm.msc), or find it at Control Panel - BitLocker Drive Encryption - TPM Administration. By the way, the answer to the question “do I have a TPM module” can also be obtained in this console. If there is no module, you will see the inscription “ Cannot find a compatible TPM b". Well, if you have it, then you can turn this module on and off; save information for TPM recovery; remove TPM; restore the TPM after blocking, and so on.
This is where the ability to manage the TPM module using the operating system almost ends. The only additional advantage is that on some computers the module can be turned on/off in the computer’s BIOS.
The constantly growing number of worms, viruses and elementary holes in modern operating systems and network services forces IT specialists to develop more and more new information security tools. Previously, mainly software solutions were used - hardware and software were not available to everyone. Now, thanks to TPM (Trusted Platform Module) technology, these solutions have reached the masses and become available to everyone. In this app, we'll talk about what TPM is and why it makes sense to use this technology in your enterprise.
The TPM is a microcontroller designed to implement basic security functions using encryption keys. The TPM chip is installed on the computer motherboard and interacts with other system components via the system bus.
The concept of “trusted platform modules” (this is how the abbreviation TPM is translated into Russian) belongs to the Trusted Computing Group (TCG) consortium, which has existed since 2004.
The TPM technology itself did not appear in 2004, but earlier. In 1999, the Trusted Computing Platform Alliance (TCPA) was created. This alliance included the most important hardware and software developers - IBM, HP, Microsoft, etc. Despite the eminence of the participants, the activities of the alliance were reminiscent of the well-known fable about the swan, the crayfish and the pike: everyone “pulled the load” on themselves (each member of the alliance had the right to cancel decision made by other members), so TPM developed rather slowly.
(adsbygoogle = window.adsbygoogle || ).push());
In 2004, the TCPA alliance was transformed into the Trusted Computing Group consortium. The structure of this organization was different. Only selected companies (they are called promoters) can make important decisions. Such companies now include Intel, HP, IBM, AMD, Seagate, Sony, Sun, Microsoft and Verisign. The remaining companies (there are more than a thousand of them) have the right only to participate in the development of draft specifications or simply receive earlier access to new developments.
The main output of TCPA/TCG is the "trusted platform module", which was formerly called the "Fritz Chip". It was named after US Senator Fritz Hollings, known for his support of Digital Rights Management (DRM).
The main task of TPM is to create a secure computer in which all communication processes, as well as hardware and software, are checked and protected. Communication security does not mean the process of protecting a network connection, but protecting the process of interaction between individual parts of the system (for example, the OS).
The TPM module can also be used to verify the integrity and authorship of data. Only authorized users should have access to data, and the security of the transmission of the information itself must be ensured. Integrity check will protect the system from viruses, worms and other programs that change data without notifying the user.
When developing TPM, the goal was not to create a module only to protect personal computers or laptops from viruses - this technology can be used to ensure the security of mobile phones, PDAs, input devices, and disk drives. Together with it, you can use biometric identification devices. The protection of network connections is handled by a separate division of TCG - Trusted Network Connect (TNC). We will not consider the fruits of TNC's activities, but will limit ourselves only to TPM.
For example, you can install a hard drive with TPM support (Fig. A37). Seagate has been producing such hard drives for a long time (Momentus 5400 FDE.2). But Seagate is far from the only manufacturer of hard drives with encryption functionality. Other manufacturers, such as Hitachi, also produce “cryptographic drives.” So you have a choice of hardware (you can read about other hardware and software manufacturers with TPM support on the website www.tonymcfadden.net).
How TPM works
As already noted, the TPM module is implemented as a chip on the motherboard. The TPM chip is integrated into the computer boot process and checks the system hash using the SHA1 (Secure Hash Algorithm) algorithm; it is calculated based on information about all computer components, both hardware (processor, hard drive, video card) and software (OS).
During the boot process of the computer, the chip checks the state of the system, which can only be started in an authorized condition, which is only possible if the correct hash value is detected.
Setting up TPM on Windows
The following guide describes how to use TPM services in Windows Vista:
http://www.oszone.net/display.php?id=4903.
Windows Vista and Windows Server 2008 use BitLocker disk encryption technology, which is closely related to trusted modules (Figure A38). You can read about setting up BitLocker in Windows Server 2008 and Vista (Fig. P39, P40) here:
http://www.securitylab.ru/contest/300318.php; http://www.oszone.net/4934/VistaBitLocker.
Ready systems with TPM support
Ready-made TPM computers have been on the market for a long time: both laptops and desktop computers. Typically, such systems are produced by well-known manufacturers like HP, so their price may be slightly inflated (surcharge “for the brand”).
Those who want to save money can be recommended to buy hardware with TPM support and assemble everything themselves. The necessary motherboards are produced by many manufacturers, for example ASUS (M2N32-SLI Premium), MSI (Q35MDO), etc. (Fig. P41).
Why do you need TPM?
Firstly, TPM is an increase in the overall security of the system and additional, implemented at the hardware level, protection against viruses, Trojans and other computer evil spirits. And as we know, you shouldn’t skimp on security, especially in an enterprise.
Secondly, TPM is the encryption of data on a hard drive. TPM allows for a trade-off between security and performance.
Since encryption is done in hardware, there is virtually no impact on performance.
Thirdly, with the help of TPM you can do without a password altogether, using the user’s fingerprint instead. Agree, quite an effective solution. Yesterday we saw such systems in half-fiction films, but today they are already a reality.
It is important to remember that TPM is not a universal solution or a panacea for all computer ills. No one has canceled a good antivirus and firewall. TPM was developed more to protect the interests of software giants: in order to prevent the user from running unlicensed software. From this point of view, it is not yet clear whether TPM is good or bad, given the number of unlicensed programs in our open spaces. Let's face it - there is a lot of pirated software.
Also, do not forget about the human factor. A person can deliberately give out the password to his system, or write it down somewhere on a yellow piece of paper that he sticks to the monitor, or simply set a very simple password that is not difficult to guess. In this situation, TPM will definitely not help. This is where software comes to the rescue, namely access control systems, but that’s another story.
