Hidden in Plain Sight: Hardware-Based Security
The Trusted Platform Module is an integral part of virtually every enterprise-level
computer sold today.
The TPM is typically a separate application-specific integrated circuit that
provides hardware-based security by establishing a root of trust for subsequent
security measures to build upon.
It can be used to implement solutions for network security, data protection
and user authentication, including full-disk and file and folder encryption.
For example, Microsoft's BitLocker encryption feature (included in the
Windows Vista and Windows 7 operating systems) can use the TPM to secure the
Before a TPM can be used, it must be activated and enabled. The process for
this varies with different computers, but these three steps provide a basic
Step 1: Activate the TPM. Turn on the computer and enter
the BIOS. From the BIOS, change the TPM's status from inactive to active.
Sometimes the BIOS doesn't say "TPM." If you don't
find TPM, then look for words such as "security chip" instead.
Some computers come with software to automate this step, such as Vista's
TPM Initialization Wizard.
Step 2: Install or initialize TPM utility software. If your
computer came with TPM utility software, start it up or install it. Again,
the software may say "security chip" instead of TPM. If you can't
find any such software, you'll need to buy it. Vista and Windows 7 include
basic TPM utility software, which may be sufficient.
Step 3: Take ownership of the TPM. Use the TPM utility software
to assume control of the TPM. In simple terms, this lets you set a TPM password.
After completing these three steps, you can start using the TPM for specific
Security hardware is an invaluable tool in the constant battle to thwart
attackers. Because all new machines (and most that came on the market after
2003) already have TPMs, why not use them?
Disk encryption is a wonderful thing -- and it's even better
with a TPM.
If someone steals your computer, you don't have to worry. Unless
they know your password, they can't access your data. The Trusted
Platform Module enhances disk encryption by preventing decryption using
another computer or with hacked system software. Microsoft has step-by-step
instructions for enabling and using the BitLocker disk encryption feature
included in Windows Vista and Windows 7.
Encryption is the most obvious application of the TPM, but others are also
compelling. The TPM can act like a "smart card on your motherboard,"
providing stronger security than a software certificate and without any
worry about leaving your smart card at home. Just make sure that your TPM
utility software supports your certificate client software (via Microsoft
Crypto API or PKCS#11). Then select the TPM as your cryptographic provider
when requesting a new certificate. The resulting certificate will be tied
to and secured by the TPM.
One special feature of the TPM is that it can verify the integrity of your
operating system and security software. You (or your network administrator,
if so configured) will be notified of any changes to these files, which
might indicate an infection or attack. Access to confidential data can be
blocked until the changes have been investigated.
More information on the TPM and self-encrypting drives is available on
the Trusted Computing Group website at www.trustedcomputinggroup.org.
Almost 300 million computers with TPMs have shipped, so
there is an extremely high probability that every agency has several in
operation. As part of its High-Assurance Platform Program, the National
Security Agency uses the TPM in a virtualized approach to run multiple secure
environments. And almost all computers acquired by the Defense Department
since July 2007 are required to include a TPM.