The trusted platform module (TPM) is an important security feature on today’s motherboards. In this video, you’ll learn about the technologies and use cases of TPMs and hardware security modules (HSMs).
A lot of what we do in technology has to do with secrets. We have a lot of information that we want to keep secret from other people. And in some cases, we want to be sure that the information we’re storing on our own system is only available to us and no one else.
To provide this security, we need to use encryption, and we use encryption on almost everything. Your mobile phone is using encryption not only to store information, but to transmit information over the airwaves. When we send information back and forth to a web server, that entire network communication is encrypted. And when we’re storing information on our local hard drive or SSD, all of that data can also be encrypted.
Very often, the process that we use for encrypting and decrypting data is a very well-known process. These are usually based on standards that are open and public. And you can reference and read through those standards to understand exactly what’s happening when information is encrypted and decrypted.
This is very common to the doorknobs that we use connected to our house. But just knowing how a lock in a doorknob works doesn’t somehow allow you access through that door. To be able to gain access, you need the one thing that is unique that no one else has, and that’s your key.
Although we don’t have a physical door key on our computer, we have digital keys that we use during this encryption and decryption process. And if we are encrypting data with a key, we need to be sure that we have the correct key to be able to decrypt that information later.
But now we have a problem where we have data that we’ve encrypted. We need to protect the key that we’ve encrypted it with. But how do you protect the key that you’re using for all of these cryptographic functions?
On your personal computer, one of the ways that we can help protect this key is by using a Trusted Platform Module, or a TPM. This TPM is a standardized piece of hardware that is built for encryption. There are many different cryptographic functions built in to this piece of hardware. And in this image, you can see that the TPM is a module that was installed onto the motherboard separately. Your motherboard may have the TPM built into the motherboard itself.
This TPM includes a cryptographic processor. So we can have random number generation occur on this TPM. We can also generate cryptographic keys on this TPM. This TPM also includes persistent memory, which contains burned in keys that were created during the manufacture of the TPM. There’s also part of the TPM that handles versatile memory, so it can store keys and other information within the memory of the TPM.
And perhaps most importantly, the TPM is built for security. This is password-protected and has a number of security features that prevents somebody from gaining access to your very private cryptographic keys.
This trusted platform module has a cryptographic key that is secret to only your system, and it’s unique to only your system. Nobody else has the same key. For that reason, your encryption keys are now associated with your individual computer, and we can use those keys to perform different functions.
For example, if you’ve enabled BitLocker or some other type of full-disk encryption on your computer, you can use these keys to be able to provide the encryption necessary to protect the data that you’re storing on that device. This also means that you can’t take the storage device out of your computer and then move it to another computer to gain access to the data. You would still need to decrypt the data, and the decryption key is back on the original computer inside of the TPM.
Since this TPM contains this unique key and it’s tied to this piece of hardware, we can associate the hardware with the TPM. We refer to this as a root of trust. We know that that TPM is unique to that system. And for that reason, we can use the TPM to make sure that the computer that we’re referencing across the network really is the device that we’re expecting.
This TPM can also be used to remotely determine if anything has changed with that computer. That way, you know if you’re connecting to a system across the network that that system really is the one that you’re expecting to find.
And since the TPM is physically part of the hardware of this system, it’s not something that can easily be copied off and moved to another computer. You know that when you’re looking at that TPM that you really are looking at that particular physical computer.
The BIOS of your computer allows you to enable or disable different features of your TPM. On this BIOS, you’ll find it under Security. And under Security, if we scroll down, you’ll see an option for TCG. This stands for Trusted Computing Group, which is the organization that manages the standards for TPM.
On this computer, you see that we have a TPM Security Chip 2.0, and you’re able to enable or disable the TPM functionality from inside the BIOS. You can also clear any data that may be stored in the TPM from this setting, and you can configure different parameters on how that information is deleted.
Well, the TPM is a good choice for managing security on a single device, but in many of our data centers, we might have hundreds or thousands of devices. And every single one of those devices has some type of security key associated with it. In these types of environments, we need some type of large-scale security solution to manage and maintain these keys, and that solution is a Hardware Security Module, or HSM.
HSMs are often used to centralize the backup of all of these keys across all of your systems. So if you wanted to have all of your web server keys stored on one central protected device, you would install an HSM and have that device manage all of those keys.
There are also lightweight or personal HSMs that you could use to store personal keys on a device that could then be moved from one computer to another. This is a type of lightweight HSM used for protecting cryptocurrency where you can store this information and protect it on this mobile HSM.
In a data center, however, we’re usually configuring a high-end server and configuring it with cryptographic hardware to serve as our HSM. In many cases, this device is not only storing keys, but it’s also accelerating the cryptographic functions between one device and another. So for example, instead of your web server performing any type of cryptographic encryption and decryption, you can have that entire process take place in hardware on an HSM and offload that from any of your software-based services.
So if we had to compare a TPM with an HSM, we could say that a trusted platform module is generally used on a single system. You’re securing data on that local device. It’s often built into the motherboard, or you could install it as a separate physical module. And if you are working with a mobile phone that’s booting, there’s a screen lock process or there’s some type of full-disk encryption, you’re probably using a TPM.
HSMs, or hardware security modules, tend to be used by many systems, and we’re usually storing information across multiple devices onto that secure storage of the HSM. These are often deployed in a data center as a high-end device, usually with cryptographic hardware. And they’re usually deployed to protect those important keys that you have in your infrastructure, such as the keys you might have to protect the encryption of your web servers or those for your certificate authority.