TPMs have been shipping for nearly 8 years now. WinMagic was an early adopter and supported TPM version 1.1 for full disk encryption before most. We expanded our support to the more main stream version 1.2 TPMs when they started shipping. Now more than 100 Million TPMs are out there in laptops and other devices, and soon many, many Version 2.0 TPMs will join them. TPM 2.0 and disk encryption will be a good topic for a future blog but today I am going to set the ground work on where we are today.
First, what is a TPM? According to Wikipedia ( http://en.wikipedia.org/wiki/Trusted_Platform_Module) “The Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor. The TPM technical specification was written by a computer industry consortium called the Trusted Computing Group (TCG).” WinMagic is a member of the TCG which among other things also sets the “Opal” and “Enterprise” standards for self-encrypting drives (SED).
While TPMs have lots of capabilities the key thing that a TPM can bring to a computing device is a hardware root of trust. It has unique asymmetric keys (e.g. RSA keys) built right into the chip which can be used to uniquely identify the device and secure storage that cannot be tampered with. That, along with a capability to take “measurements” of the firmware and software environments enables a system with a TPM not only to reliably attest to its identify, but also that it was in a known state and has not been not tampered with before the OS is booted. If malware can take control of a platform underneath or before the OS, there can be no trust in the booted system. This is a significant step in establishing a chain of trust that can extend right into OS present software.
One of the asymmetric keys built into the TPM is known as the storage root of trust. SecureDoc can leverage this root of trust to ‘protect’ the software encryption keys or, in the case of SEDs, the authentication keys used to unlock the Opal drive. Interestingly when using the storage root of trust one doesn’t actually store anything in the TPM. However, some TPMs do have secure non-volatile memory and in our version bundled with HP we can store backup keys securely right inside the TPM.
If you would like to see TCG Opal drives and TCG TPMs working together, Intel and WinMagic are participating in the Demonstration Showcase at TCG’s annual workshop during RSA Conference 2014 on Monday February 24, 2014 in San Francisco. Through this demonstration, WinMagic will leverage an HP laptop with an Intel SED to show how easy it is for business users to take advantage of the security provided by HP Drive Encryption; to manage a TCG Opal SED and leverage the built-in TPM as part of the authentication process and recovery process.