A TPM, also known as a Trusted Platform Module, is an international standard for a secure cryptoprocessor and is a chip found on the computer’s motherboard. The function of a TPM is to generate encryption keys and keep a part of the key inside the TPM rather than all on the disk. This is helpful for when an attacker steals the disk and tries to access the contents elsewhere. The TPM provides hardware-based authentication so if the would-be attacker were to try and remove the chip and place it onto another motherboard, or try to tamper with the motherboard to bypass the encryption, it would deny access.
What is the Difference Between HSM and TPM?
For the most part hardware security modules (HSM) and TPMs are similar in function and are used for encryption, but there are two notable differences that can be made between the two. A hardware security module is typically an external device while TPMs are chips that are embedded into the motherboard. The other difference is that you can easily add an HSM to a computer or network, while a TPM is usually not considered feasible to add after the computer is in use.
Does My Computer Have a TPM?
Off-the-shelf computers have a TPM soldered onto the motherboard, however, if you are building your own computer then you can easily buy one as an add-on module for a relatively cheap price. Installing a TPM in your computer is very simple, just find the port on your motherboard (if it supports a TPM module) and plug it in.
Can You Remove a TPM chip?
This depends on the type of computer you owned. Like previously stated, if you purchased your computers off-the-shelf then the TPM is typically soldered onto the motherboard, meaning that removal of the TPM would damage both the TPM and motherboard rendering both useless for the attacker. However if you had the TPM as an add-on and installed it yourself, it can easily be removed, but the encrypted contents would still be safe as the TPM uses hardware-based authentication meaning that it can’t be used when affixed onto another motherboard.
Can You Clear a TPM?
Yes, all you need to do is go into your security center app. However, it is not recommended as it can lead to data loss and you would lose all created keys associated with the TPM. If you must clear your TPM, then it is strongly recommended to have a backup and recovery for any data that is stored in your TPM.
Can a TPM be Hacked?
For the most part, TPMs are secure, however a new attack found by Christopher Tarnovsky found a way to break chips that carry a TPM by essentially spying on them like a phone conversation. This attack was used on Infineon Technologies AG flagship model, which is regarded as one of the top makers of TPM chips.
So does that make TPMs a liability? Well, not exactly. This attack was so resource heavy that Tarnovsky stated that unless you are a multi-million dollar corporation, this attack just isn’t worth it and is incredibly difficult to pull off in a real-world environment.
Key Attestation
A key attestation with a TPM is like a signature where it proves the origin of the certificate to the certificate authority to acknowledge that the TPM that is making the request is the same TPM that the certificate authority trusts. Key attestation is important because it allows the private key to not only be stored on the disk, but another key to be isolated and stored inside the TPM on that device so that you can benefit from a higher level of security due to the non-exportability of the TPM key.
Trusted Platform Module with Certificates
Using a TPM as your only protection against attackers is not recommended, as although a TPM protects your files from a physical attack, the ever-present threat of the infamous MITM attack can still grant access to your files. SecureW2 uses certificates to prevent over-the-air attacks and our management portal also supports security key attestation, as our software client can attest to the location a private key has been generated on a security key, or any other device with a TPM. Our industry-leading PKI makes it easy to configure BYOD and managed devices for 802.1x authentication and self-enrollment for certificates in just a few clicks.
We have affordable options for organizations of every size. Check out our pricing here.