Author Topic: Trusted Platform Modules (Read 1176 times)

Pudgie · « **on:** August 18, 2017, 12:02:18 PM »

Hi All,

Been doing some research on these and their use. Have noted where Win 10 since vers 1511 is using a version of a "software TPM" to enhance hardware security in computers.

1.) Is it better to use a physical TPM module vs a software solution? So far I haven't ran across any articles that give this info....only the pros & cons, but it seems that progress is moving towards some type of "standard" TPM use.

I've noted that this Gigabyte GA-AX370 Gaming K5 mobo that I have is set up w\ a TPM 2.0 socket on the mobo, the UEFI is set up to accommodate a TPM module and Win 10 is equipped w\ Windows Bitlocker which can make use of a TPM to enhance better security at the hardware level.

Been tempted to pick up 1 from Gigabyte & use it to familiarize myself w\ their usage but am reading up on this for the time being.

If anyone has knowledge of the in's & out's of using TPM...good, bad or indifferent, I'd appreciate it if you would share it.

Main reason for looking at these is to increase security on my wife's box in ways that she can't mess with & TPM looks to be a feasible method to enhance protection on her computer......and if this is good enough I'll also use it on mine as well.

Trying to keep up w\ the times.............

Mar · « **Reply #1 on:** August 18, 2017, 03:44:11 PM »

As I understand it, TPM is a "this hard drive will only work on that motherboard" kind of thing. It's not really something you'd use unless you think your hard drive is likely to be stolen by itself.

Just imagine trying to recover data from that hard drive if the motherboard dies.

As far as making it so your wife can't mess it up, set a BIOS password, but make damn sure you don't forget it.

Pudgie · « **Reply #2 on:** August 19, 2017, 09:42:43 AM »

Quote from: Mar on August 18, 2017, 03:44:11 PM

As I understand it, TPM is a "this hard drive will only work on that motherboard" kind of thing. It's not really something you'd use unless you think your hard drive is likely to be stolen by itself.

Just imagine trying to recover data from that hard drive if the motherboard dies.

As far as making it so your wife can't mess it up, set a BIOS password, but make damn sure you don't forget it.

Thanks for the response Mar.

I'd be fine w\ that aspect of using a physical TPM in either of our computers as that wouldn't bother me at all. But this did peak my interest into checking what this would mean if a NAS is used to store the data from a HDD that has TPM protection enabled on the mobo.....gonna check into that. My initial gut read is if I can transport the physical TPM module w\ the passcode from the old mobo to the new mobo then set TPM up on the new board w\ the same passcode then all "should" come down from the HDD\NAS just fine....as long as the existing physical TPM module didn't get fried along w\ the mobo & the encryption type didn't change.......but I could be wrong.

The main item of interest for looking into physical TPM is, according to the articles that I've read over to date, the hardware device encryption protection that they can provide to the rest of your onboard hardware devices, such as a keyboard & mouse that is plugged into the mobo w\ a physical TPM installed............

Since Win 10 is natively equipped w\ Windows Bitlocker (and unless another viable alternative OS hits the scene fairly soon, is gonna be the defacto OS) I'd feel a little better if I had a hardware application of TPM in use that I have some control over to add to the mix but I want to get as good of an understanding as I can gain of what to expect from TPM usage before I go into using them. 2020 is just around the corner.........

I know nothing is 100% foolproof when it comes to computing security, but to rely fully on a software solution is IMHO not wise....especially when it is embedded in the OS which puts MS in full control of TPM thus your data.

From what I have seen to date, these physical TPM modules are pretty cheap. Businesses\IT personnel aren't using TPM for nothing..........

My 2 cents.

Thanks!

Mar · « **Reply #3 on:** August 19, 2017, 11:35:27 AM »

I'm not what you mean when you say your main interest is in "the hardware device encryption protection that they can provide to the rest of your onboard hardware devices".

As I understand it (and probably should have added already), TPM's primary purpose is to not allow boot if the hardware and/or software configuration has changed. So that means it's not protecting your devices, instead your devices are protecting you, because if one is unplugged then the machine won't boot.

I could be wrong though.

Bizman · « **Reply #4 on:** August 19, 2017, 12:39:02 PM »

For what I've learned (and that is not too much) about hardware encryption, I try to keep away from it if at all possible. All I can see is a potential failure leading to lost data. A thoroughly thought backup plan is a minimum requirement.

For encrypting data there's many programs, such as the free 7-zip.

For disabling an entire system to boot without a password, well, the bios password is good unless someone wants to reset the bios by uninstalling the battery or using the reset jumper, both of which require physical presence by the computer involved.

Evaluating your needs is the key here. Think about the worst scenario that could possibly happen. If it's a crypto-locker attack or a fire burning your house including your data, an external disk outside your house is enough for most household data. Then again, if your computers are filled with business secrets such as plans for an unpatented product that would make you a trilionaire, you'd need very effective shielding especially if "they" know you're working on such an invention.

KISS, that's my rule of thumb. Backup the things you don't want to lose, use encryption if you really have something to hide. There's no one that can help you if your encrypted system fails to boot.

save · « **Reply #5 on:** August 19, 2017, 07:51:40 PM »

I use Veracrypt to keep my whatever I want to keep for myself, specially the hidden volume inside the original volume with other encryption and password is really as safe as it gets if you computer is not already compromised with keyloggers etc.

Also always use a strong VPN if you do not want to be tracked when surfing.

Pudgie · « **Reply #6 on:** August 20, 2017, 09:29:23 AM »

https://docs.microsoft.com/en-us/windows/device-security/tpm/trusted-platform-module-top-node

If you didn't know it already then you do now.

TPM support is native in Win 10 OS, is part of it's security offerings in conjunction w\ Windows Defender as well as Windows Bitlocker & after 7-28-16, all computer hardware is required to comply to TPM 2.0 security standards for Win 10\Server 2016 OS certification.

This includes CPU's & graphics cards as well as other devices and MS does recommend users (consumer users as well....which is us) to use a physical TPM module to get the full security benefits offered thru Win 10 but Win 10 will automatically set up TPM thru itself on your computer if your hardware reports to the OS that it is TPM 2.0 compliant.

If you set up a MS account then Win 10 will store the TPM key info on the MS cloud for "safe keeping".

This now explains a lot to me of why I didn't have the device driver installation issues after installing Win 10 Home on this Gigabyte GA-AX370 Gaming K5 mobo w\ this AMD Ryzen 7 1800X CPU as I did installing the EXACT SAME copy of Win 10 Home prior on my Gigabyte X99M Gaming 3 mobo w\ Intel I7 5820K CPU using the EXACT SAME devices & drivers.............

This may be 1 of the reasons why Win 10 is so finicky being installed in computers using older hardware & why Win 10 isn't "checking up on itself so often" on my box as has been reported as the mobo\CPU I'm using is TPM 2.0 compliant & MS certified......

Enjoy!

Vulcan · « **Reply #7 on:** August 20, 2017, 08:48:29 PM »

Quote from: save on August 19, 2017, 07:51:40 PM

Also always use a strong VPN if you do not want to be tracked when surfing.

Using a VPN, strong or otherwise, makes no difference in the ability to track you. In fact in make you more trackable/easier to infect as you a changing your exit point onto the net, you are entirely at the mercy of the person running that VPN endpoint.

save · « **Reply #8 on:** August 21, 2017, 11:20:30 AM »

It's true if you want to think that some/all VPN vendors are controlled by governments or have been compromised by someone that have the aim to infect you.
Double VPN from a vendor are still safer than be at the mercy of an ISP (that in some countries are required to keep logs of your whereabouts), using browsers that pretty much give anything away about you.

Personally I'm more concerned about software I install than strong double VPN safety.

Using level7 firewalls and good antivirus/malware just makes it a bit more difficult.

My game machine I use for gaming only, browsing is done outside my private network on a separate machine, I do understand that you by bypassing the firewall using VPN from the inside will make it easier to compromise that machine ( if VPN vendor is compromised) since it have no idea what is going through that encrypted tunnel. Its just harder to track.

Total security on the internet does not exist.

Quote from: Vulcan on August 20, 2017, 08:48:29 PM

Using a VPN, strong or otherwise, makes no difference in the ability to track you. In fact in make you more trackable/easier to infect as you a changing your exit point onto the net, you are entirely at the mercy of the person running that VPN endpoint.

Vulcan · « **Reply #9 on:** August 21, 2017, 03:07:03 PM »

You don't get it, you have to get onto the internet somehow. You are justing moving the entry point from your ISP who you know doesn't give a damn - and to be honest most of your traffic is HTTPS so they cannot see what you are doing.

All you are doing is moving your entry point to someone else, likely with a smaller customer base. At the same time you're adding lag etc.

If you a doing something illegal enough to be of interest for them it's pretty easy to track you down. First they can see your VPN traffic flows to your VPN provider, second they can go to said provider and start intercepting your traffic with ease.

VPNS ADD NOTHING TO YOUR PRIVACY (unless you're in prison already). When your tunnel terminates at your vendor it is decrypted. Get it?

All a VPN does is help bypass things like Geo filters.

Skuzzy · « **Reply #10 on:** August 21, 2017, 03:13:20 PM »

Vulcan is spot on.

By the way, we actively block open VPN relays.

save · « **Reply #11 on:** August 21, 2017, 05:01:54 PM »

Pudgie · « **Reply #12 on:** September 02, 2017, 05:00:25 PM »

Update:

Just ordered myself 1 of these.............

https://www.newegg.com/Product/Product.aspx?Item=9SIAD6H5US0629&cm_re=tpm-_-9SIAD6H5US0629-_-Product

Gonna jump in it & learn something.

EagleDNY · « **Reply #13 on:** September 10, 2017, 06:34:32 PM »

Kind of a waste unless you are running in Windows Server land. You can use it, but it is a point of failure / has bugs all its own and is probably a lot more trouble than it is worth.

Pudgie · « **Reply #14 on:** September 14, 2017, 09:44:54 AM »

Well, it appears that this is gonna be short lived anyway....................... ...........

https://www.onmsft.com/news/here-are-the-features-that-are-being-removed-or-deprecated-in-the-upcoming-windows-10-fall-creators-update

TPM is on both of these lists.

Aces High Bulletin Board

Author Topic: Trusted Platform Modules (Read 1176 times)

Pudgie

Trusted Platform Modules

Mar

Re: Trusted Platform Modules

Pudgie

Re: Trusted Platform Modules

Mar

Re: Trusted Platform Modules

Bizman

Re: Trusted Platform Modules

save

Re: Trusted Platform Modules

Pudgie

Re: Trusted Platform Modules

Vulcan

Re: Trusted Platform Modules

save

Re: Trusted Platform Modules

Vulcan

Re: Trusted Platform Modules

Skuzzy

Re: Trusted Platform Modules

save

Re: Trusted Platform Modules

Pudgie

Re: Trusted Platform Modules

EagleDNY

Re: Trusted Platform Modules

Pudgie

Re: Trusted Platform Modules