Wireless Army
This is a blog / tips and tricks website for web developers and security researchers.
follow us in feedly


TPM for full disk encryption
by admin
 at 2016-11-12 16:55:00.

TPM stands for “Trusted Platform Module”. It’s a chip on your computer’s motherboard that helps enable tamper-resistant full-disk encryption without requiring extremely long passphrases.

he TPM generates encryption keys, keeping part of the key to itself. So, if you’re using BitLocker encryption or device encryption on a computer with the TPM, part of the key is stored in the TPM itself, rather than just on the disk. This means an attacker can’t just remove the drive from the computer and attempt to access its files elsewhere.

This chip provides hardware-based authentication and tamper detection, so an attacker can’t attempt to remove the chip and place it on another motherboard, or tamper with the motherboard itself to attempt to bypass the encryption — at least in theory.

You normally just gain access to an encrypted drive by typing your Windows login password, but it’s protected with a longer encryption key than that. That encryption key is partially stored in the TPM, so you actually need your Windows login password and the same computer the drive is from to get access. That’s why the “recovery key” for BitLocker is quite a bit longer — you need that longer recovery key to access your data if you move the drive to another computer.

TPM is almost guaranteed to provide is a false sense of security (even the name itself, "Trusted Platform Module", is misleading and creates a false sense of security). As for real security, TPM is actually redundant (and implementing redundant features is usually a way to create so-called bloatware).

from truecrypt:

 

Some encryption programs use TPM to prevent attacks. Will VeraCrypt use it too?

No. Those programs use TPM to protect against attacks that require the attacker to have administrator privileges, or physical access to the computer, and the attacker needs you to use the computer after such an access.However, if any of these conditions is met, it is actually impossible to secure the computer (see below) and, therefore, you must stop using it (instead of relying on TPM). 

 

If the attacker has administrator privileges, he can, for example, reset the TPM, capture the content of RAM (containing master keys) or content of files stored on mounted VeraCrypt volumes (decrypted on the fly), which can then be sent to the attacker over the Internet or saved to an unencrypted local drive (from which the attacker might be able to read it later, when he gains physical access to the computer). 

 

If the attacker can physically access the computer hardware (and you use it after such an access), he can, for example, attach a malicious component to it (such as a hardware keystroke logger) that will capture the password, the content of RAM (containing master keys) or content of files stored on mounted VeraCrypt volumes (decrypted on the fly), which can then be sent to the attacker over the Internet or saved to an unencrypted local drive (from which the attacker might be able to read it later, when he gains physical access to the computer again). 

 

The only thing that TPM is almost guaranteed to provide is a false sense of security (even the name itself, "Trusted Platform Module", is misleading and creates a false sense of security). As for real security, TPM is actually redundant (and implementing redundant features is usually a way to create so-called bloatware). 

 

For more information, please see the sections Physical Security and Malware in thedocumentation.