Trusted platform module

JonJ678 · 20 Jun 2009 at 09:40

Hey. I have one of these security chips on my motherboard, which is quite exciting. I've found tpm-tools, but it doesn't look like its been updated in quite a while.

So, has anyone experience with this? Hardware encryption of my hard drive sounds something worth playing with, but I'm not willing to move to windows to achieve this. I'm struggling to find a reasonable link about this beyond wikipedia.

The ideal would be encrypting the entire disk transparently or with boot password, then setting up a linux/windows dual boot as standard. Failing this encrypting partitions separately would also be good.

Essentially I know minimal amounts about computer security, but think I'd like to start learning a bit more. So anything you've got bookmarked on the tpm or personal experience would be great

Cheers

brummie · 20 Jun 2009 at 10:04

If you want to encrypt your hard drive just use the OS. Its so simple in Ubuntu now.

JonJ678 · 20 Jun 2009 at 10:43

I'm aware of the option to encrypt it using the operating system. I believe everything except the boot partition can be encrypted this way, which is perfectly reasonable. Information on this is rather easier to find on Google though.

Despite the software option, I am still interested in uses for this module. I'm unlikely to bother running an encrypted drive permanently, but this doesn't stop me wanting to learn something new. You're quite right that software is the simpler option.

It also occurs that if the tpm approach encrypts the drive at a hardware level, dual boot systems would behave exactly as normal. This would be useful.

whitecrook · 20 Jun 2009 at 12:04

um,,, what happens if you mobo lets out the magic smoke? Is your data totally lost in that case?

tntcoder · 20 Jun 2009 at 12:17

whitecrook said:
um,,, what happens if you mobo lets out the magic smoke? Is your data totally lost in that case?

Im pretty sure you can backup the keys that are stored on a TPM.

Hatter The Mad · 20 Jun 2009 at 12:23

tntcoder said:
Im pretty sure you can backup the keys that are stored on a TPM.

You can

JonJ678 said:
which is quite exciting

Its not

dangerstat · 20 Jun 2009 at 13:18

Unless you have a real need for hardware encryption I'd stay well away from it, unless you know what your doing. I know quite a few people who've thought that reading a page on the interwebz informed them enough to play with encryption options, and then more often than not they're crying about how the fubar'd their entire FS.

Encryption = good *if* you know what your doing, BAD if you don't

Hatter The Mad · 20 Jun 2009 at 13:31

dangerstat said:
Unless you have a real need for hardware encryption I'd stay well away from it, unless you know what your doing.

You do realise that TPM != hardware encryption, right?

JonJ678 · 21 Jun 2009 at 04:46

whitecrook said:
um,,, what happens if you mobo lets out the magic smoke? Is your data totally lost in that case?

Backups for the win

dangerstat said:
more often than not they're crying about how the fubar'd their entire FS.

If my file system goes down, not such a big deal. As long as it doesn't actually kill the drive its on, to the extent that dd with fdisk can't save it, I don't mind hiccups. Appreciate the warning though.

Hatter The Mad said:
You do realise that TPM != hardware encryption, right?

Care to say what it can do then? It certainly looks like it can encrypt things without exposing the keys to ram, which is a good thing and would qualify as hardware encryption in my eyes. Linux support for it isn't looking brilliant at present, but there are hints dotted about that it might work.

tntcoder · 21 Jun 2009 at 12:32

JonJ678 said:
Care to say what it can do then? It certainly looks like it can encrypt things without exposing the keys to ram, which is a good thing and would qualify as hardware encryption in my eyes. Linux support for it isn't looking brilliant at present, but there are hints dotted about that it might work.

Hmm its not really hardware encryption. TPM chips do stuff to help with secure software encryption. For example they offer nice hardware based pseudo-random number generators which provide very high amounts of entropy, this is useful for generating the encryption keys for the encryption software. So your typical software eg bitlocker or pgp can use the chip for securely generating, and securely storing the encryption keys. The chip also uses its own internally managed memory & sealed storage which as you said, prevents exposing keys to the system.

The bad point is, as far as I know there is no standard for these chips, or how to access them. This means that driver support is pretty poor, especially across platforms. I looked into using them a while back for a project and decided it was a bad idea due to lack of support. Hopefully it will get better, but I haven't really heard much good stuff about the current Linux support for them sadly.