What is a trusted platform module? How It Drastically Boosts Security
If a hacker can get physical access to a computer, they can bypass any locks and passwords to get access to the computer’s data.
That is why encrypting your computer is so important.
But keeping up with a decryption key is another inconvenience.
Using a trusted platform module (TPM) chip can be a lifesaver.
Let’s look at what a trusted platform module is and how it works.
What is a trusted platform module chip?
A Trusted Platform Module (TPM) is a tamper resistant hardware chip on endpoint devices that handles cryptographic tasks. It can create, store, and protect passwords or cryptographic keys and has several features that make it tamper resistant. Full-Disk encrypted computers often use TPMs for authentication during the boot process.
TPM chips are a hardware based security component that are mounted on the motherboard of a computer or device.
In most cases, hardware level security controls are stronger than software based ones.
Trusted platform modules have quickly grown in popularity over the last decade.
In fact, the United States Department of Defense mandates that any new computers they purchase must have TPM chips version 1.2 or later.
What does the TPM chip do?
Benefits if used with TPM
Platform Crypto Provider
Keeps private key for certificate from being read even if device is compromised.
Virtual Smart Card
Creates same level of security as physical smart cards do
Windows Hello For Business
Credentials can't be copied from device.
Bitlocker Drive Encryption
Can be configured to secure various kinds of devices storing data-at-rest.
Simple data-at-rest encryption
Boot security measurements that detect malware
MDM solutions can verify health before giving access to resources and services.
Protects from malware with administrative access to a single machine in an environment
Let's dive into each of these a little deeper:
Platform Crypto Provider
Windows has a built-in cryptography framework used for various security tasks.
It was designed to allow applications to access it through an API.
This framework adds special security capabilities that a software cryptographic tool could not.
It uses the Platform crypto provider to interact with the trusted platform module and adds these properties:
Virtual smart cards
Virtual smart cards use the trusted platform module to copy this multi-factor authentication.
The TPM stores the key and the user still has to enter a PIN to access it - still requiring two forms of authentication.
Something they have and something they know
Windows Hello for business
For the past 5 years or so, technology providers like Microsoft have been on a quest to replace passwords.
When people are forced to remember passwords, they tend to form bad habits - password reuse, short passwords, easy to guess, etc.
Windows Hello is one of the solutions that Microsoft has been developing.
It allows you to use other forms of authentication like face scans, fingerprints, PINs, Active Directory accounts, and third party Identity management solutions.
The data is combined with a cryptographic key and stored in the TPM where it is protected from tampering and malware.
Bitlocker drive encryption
When your device has a trusted platform module, though, you won’t have to put this password in.
The TPM will store this key and provide it for you.
It may sound risky, but the TPM does a few things to ensure security: