Select Dynamic field

What is a trusted platform module? How It Drastically Boosts Security

If a hacker can get physical access to a computer, they can bypass any locks and passwords to get access to the computer’s data.

That is why encrypting your computer is so important.

But keeping up with a decryption key is another inconvenience.

Using a trusted platform module (TPM) chip can be a lifesaver.

Let’s look at what a trusted platform module is and how it works.

What is a trusted platform module chip?

A Trusted Platform Module (TPM) is a tamper resistant hardware chip on endpoint devices that handles cryptographic tasks. It can create, store, and protect passwords or cryptographic keys and has several features that make it tamper resistant. Full-Disk encrypted computers often use TPMs for authentication during the boot process.

TPM chips are a hardware based security component that are mounted on the motherboard of a computer or device.

In most cases, hardware level security controls are stronger than software based ones.

Trusted platform modules have quickly grown in popularity over the last decade.

In fact, the United States Department of Defense mandates that any new computers they purchase must have TPM chips version 1.2 or later.

What does the TPM chip do?

Security Feature

Benefits if used with TPM

Platform Crypto Provider

Keeps private key for certificate from being read even if device is compromised.

Protects from dictionary attacks

Virtual Smart Card

Creates same level of security as physical smart cards do

Windows Hello For Business

Credentials can't be copied from device.

Verifies the TPM before credentials are provisioned.

Bitlocker Drive Encryption

Can be configured to secure various kinds of devices storing data-at-rest.

Device Encryption

Simple data-at-rest encryption

Measured Boot

Boot security measurements that detect malware

Health Attestation

MDM solutions can verify health before giving access to resources and services.

Credential Guard

Protects from malware with administrative access to a single machine in an environment

Let's dive into each of these a little deeper:

Platform Crypto Provider

Windows has a built-in cryptography framework used for various security tasks.

It was designed to allow applications to access it through an API.

This framework adds special security capabilities that a software cryptographic tool could not.

It uses the Platform crypto provider to interact with the trusted platform module and adds these properties:

  • Key protection - Hackers and malware can get security keys from memory. For example, a hard drive that is encrypted would require that the key be kept in memory while the drive is open. When keys are created and maintained by the TPM, though, the keys don’t have to go to memory where they are vulnerable.
  • Dictionary Attack protection - A dictionary attack is one in which an attacker tries passwords over and over until they get a hash that matches the one they are trying to break. When Trusted Platform Modules require a PIN to access the keys (like Bitlocker does), it can block guesses after a set number of failed attempts. This works better than similar software solutions because the TPM will remember this even after rebooting.

Virtual smart cards

Virtual smart cards use the trusted platform module to copy this multi-factor authentication.

The TPM stores the key and the user still has to enter a PIN to access it - still requiring two forms of authentication.

Something they have and something they know

Windows Hello for business

For the past 5 years or so, technology providers like Microsoft have been on a quest to replace passwords.

When people are forced to remember passwords, they tend to form bad habits - password reuse, short passwords, easy to guess, etc.

Windows Hello is one of the solutions that Microsoft has been developing.

It allows you to use other forms of authentication like face scans, fingerprints, PINs, Active Directory accounts, and third party Identity management solutions.

The data is combined with a cryptographic key and stored in the TPM where it is protected from tampering and malware.

Bitlocker drive encryption

When your device has a trusted platform module, though, you won’t have to put this password in.

The TPM will store this key and provide it for you.

It may sound risky, but the TPM does a few things to ensure security:

  • Hardware root of trust - certain components of a computer like firmware could theoretically be compromised, right? To avoid an attacker being able to compromise the system’s firmware and bypass encryption, the TPM creates a root of trust. Essentially, hashes are run of important components like firmware. Then, when it’s time to enter the disk encryption key, the TPM will check the firmware to be sure everything is ok before proceeding.
  • Key is provided only when boot measures are correct - like with the hardware root of trust, the TPM checks Windows boot process to be sure that nothing is amiss before providing the decryption key.

Device encryption

Measured boot

Health attestation

Credential guard