Puget Systems print logo

https://www.pugetsystems.com

Read this article at https://www.pugetsystems.com/guides/1814
Article Thumbnail

Trusted Platform Modules and How To Use Them

Written on July 3, 2020 by Chad Warmenhoven
Share:

Why you need this article

Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions when paired with Windows Bitlocker. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:

  • Generate, store, and limit the use of cryptographic keys.

  • Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself.

  • Help ensure platform integrity by taking and storing security measurements.

During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.

TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses.

Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, consult the TCG Web site.

Auto activate (EasyMode)

Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, TPM.msc. Once TPM has self configured you will have full access to the Bitlocker Manager and can enable encryption for any drive you need. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. MS is no longer actively developing TPM management console

Malware security

Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors.

Before you Begin

  • All Operating Systems configured in Legacy Boot Mode must use TPM 1.2. It is recommended the BIOS also be updated to the latest revision
  • All Operating Systems configured in UEFI Boot Mode can use either TPM 1.2, or TPM 2.0. It is recommended the BIOS also be updated to the latest revision
  • If a Windows 7 system is configured for UEFI Boot Mode, this patch may need to be applied in order to utilize TPM 2.0: Microsoft TPM 2.0 Patch External Link

Enabling Bitlocker

Windows BitLocker has become an increasingly popular solution for Users to secure their data. The following is how to enable and disable BitLocker using the standard methods.

Your process may vary depending on your BIOS configuration but should be fairly similar to the below

  1. Turn the computer on
  2. As the computer performs POST, press the hotkey (usually F2 or Delete) to enter the BIOS
  3. Once in the BIOS, locate the section that configures Security
  4. In the Security section, locate the TPM option
  5. Highlight the TPM 2.0/1.2 section on the left
  6. Check the TPM box on the right to switch on the TPM
  7. After switching the TPM on, select the option to Activate/Enable the TPM
  8. After the TPM has been activated and enabled, click Save changes and Exit the BIOS
  9. Turn the system on
  10. Sign into the operating system normally

That was easy right?

Well, that's because that was the easy part. Now we need to enable Bitlocker drive encryption for a selected device.

Using Settings:

  1. Click on the Windows Start Menu button
  2. Click the Settings icon
  3. In the search box, type Manage BitLocker
  4. Press Enter or click on the Manage BitLocker icon in the list

Using Start menu:

  1. Click on the Windows Start Menu button
  2. In the search box, type Manage BitLocker
  3. Press Enter or click on the Manage BitLocker icon in the list

Using Hard Drive menu:

  1. Open Computer or My Computer
  2. Select the C: (or Windows system) drive
  3. Right-click the drive that you highlighted

  1. Click Turn on BitLocker (NOTE: this will skip the initial BitLocker screen)
  2. BitLocker will go through a short initialization process
  3. Choose one of a few options for saving the recovery key

  1. After saving the password/key file, click Next
  2. Select one of the volume encryption options
  3. Encrypt entire drive
    a. This will encrypt all space on the hard drive regardless of whether or not it is used. This takes longer to process the encryption
  4. Encrypt used space only
    a. This will only encrypt space on the hard drive as it is filled with data, and leave free space unencrypted. This is preferred for basic encryption as it is faster
  5. After selecting encryption option, click Next
  6. Choose the type of encryption to use if you get the encryption type selection
    a. New encryption mode is the preferred method of encryption for new systems
  7. Click Next
  8. Click Start Encrypting

Disabling Bitlocker

For some reason or another you may wish to decrypt the drive. Just like encryption, decryption can take anywhere from 20 minutes to a couple hours, be patient.

  1. Open the Manage BitLocker windows with one of the above methods
  2. Click Turn off BitLocker
  3. Confirm the decision to turn off BitLocker
  4. Allow the system to decrypt

Conclusion

TPM and Bitlocker are a great combination providing secure booting and safe data encryption for the safest possible environment. Windows BitLocker has become an increasingly popular solution for Users to secure their data. The nature of hardware-based cryptography ensures that the information stored in hardware is better protected from external software attacks. In BitLocker, a TPM chip is used to protect the encryption keys and provide integrity authentication for a trusted boot pathway. With this article you should have all the tools needed in order to configure and manage your TPM and Bitlocker.

Need help with your Puget Systems PC?

If something is wrong with your Puget Systems PC. We are readily accessible, and our support team comes from a wide range of technological backgrounds to better assist you!

Contact Puget Systems Support

Looking for more support guides?

If you are looking for a solution to a problem you are having with your PC, we also have a number of other support guides that may be able to assist you with other issues.

Puget Systems Online Help Guides