Personal computing discussed
Moderators: renee, JustAnEngineer
mattshwink wrote:A TPM is required for some full disk encryption software (Bitlocker being the most notable). The is also other encryption software out there that does not require a TPM (Veracrypt being the most notable).
You would need to provide your chosen motherboard/manufacturer to find a compatible TPM - as they are specific to manufacturer. But here are links for Gigabyte and Asus modules (and we would have to check to see if the motherboard you are thinking of accepts them):
https://www.amazon.com/Gigabyte-GC-TPM- ... B00U07T0UE
https://www.amazon.com/ASRock-bitlocker ... B00ZHIKGSG
mattshwink wrote:Then you need this: https://www.amazon.com/Gigabyte-Accesso ... B01G97X6T4
Are you installing Windows 10 and planning on using Bitlocker (or other whole disk encryption software?) If so then you should get this. If not, then it doesn't do anything for you.
mattshwink wrote:So the reviews on that one some say yes and some say no.
Everyone else seems to have it out of stock or backorder (the Z370 is new):
http://www.tigerdirect.com/applications ... No=5935301
http://www.neobits.com/gigabyte_technol ... BAFBD.jvm1
apkellogg wrote:I am currently in the process of putting together a new Coffee Lake based system and have a quick question. I am interested in purchasing a TPM module for my chosen motherboard (encryption of hard drives including boot drive), however I am unable to find the module for sale anywhere. My questions is this, is there any actual benefit to having a TPM module or is this something I should give up on. Thank you for any advice!
apkellogg wrote:My questions is this, is there any actual benefit to having a TPM module or is this something I should give up on. Thank you for any advice!
Captain Ned wrote:The whole point of TPM/Bitlocker is to prevent old-school "enthusiasts" like me from using certain Linux-based live CD distros to directly edit the security files and either elevate privilege or to create a new user with admin privilege.
apkellogg wrote:Well, my main point was to add a pre-boot passcode to prevent access to Windows instead of having a USB key attached to the computer at all times
Captain Ned wrote:I've told this before, but let's go back into Federal Agency X folklore. Agency X issues me a laptop so that I can perform duties and securely upload the results to Agency X. Said laptop has a BitLocker 10-digit PIN. Every single laptop issued by Agency X has the same 10-digit PIN. It's the phone number to their help desk.
Federal Agency X has serious IT security issues.
Captain Ned wrote:apkellogg wrote:Well, my main point was to add a pre-boot passcode to prevent access to Windows instead of having a USB key attached to the computer at all times
I've told this before, but let's go back into Federal Agency X folklore. Agency X issues me a laptop so that I can perform duties and securely upload the results to Agency X. Said laptop has a BitLocker 10-digit PIN. Every single laptop issued by Agency X has the same 10-digit PIN. It's the phone number to their help desk.
Federal Agency X has serious IT security issues.
Captain Ned wrote:apkellogg wrote:Well, my main point was to add a pre-boot passcode to prevent access to Windows instead of having a USB key attached to the computer at all times
I've told this before, but let's go back into Federal Agency X folklore. Agency X issues me a laptop so that I can perform duties and securely upload the results to Agency X. Said laptop has a BitLocker 10-digit PIN. Every single laptop issued by Agency X has the same 10-digit PIN. It's the phone number to their help desk.
Federal Agency X has serious IT security issues.
Kougar wrote:Captain Ned wrote:apkellogg wrote:Well, my main point was to add a pre-boot passcode to prevent access to Windows instead of having a USB key attached to the computer at all times
I've told this before, but let's go back into Federal Agency X folklore. Agency X issues me a laptop so that I can perform duties and securely upload the results to Agency X. Said laptop has a BitLocker 10-digit PIN. Every single laptop issued by Agency X has the same 10-digit PIN. It's the phone number to their help desk.
Federal Agency X has serious IT security issues.
Just... wow. Why do they even bother with the hassle then.
apkellogg wrote:Well, my main point was to add a pre-boot passcode to prevent access to Windows instead of having a USB key attached to the computer at all times, but preventing your bit of fun works too!
CScottG wrote:ANY required pre-boot passkey requires that the system be turned fully OFF to be secure from physical access
CScottG wrote:I don't think that Bitlocker requires a TPM for a pre-boot passkey.
TPM's (Windows paradigm) are usually there to act as your pre-boot passkey, automatically providing the key out of memory to start your boot process (so you don't have to input a key).
You can of course ALSO use a pre-boot passkey along with a TPM for Bitlocker.
CAUTION: ANY required pre-boot passkey requires that the system be turned fully OFF to be secure from physical access (..though you can of course have it on - left at the pre-boot passkey request, though that seems wasteful). "Sleep" and "Reset" still have it in memory.
Note: you can do the same thing with a self-encrypting drive for your boot drive if you've set it for a pre-boot passkey requirement (..and SSD's should have this feature, though always check first).
apkellogg wrote:My understanding from reading how to set-up BitLocker on boot drives seem to imply the only way to use a PIN was to have a TPM module installed. If no TPM, a USB key could be used to store the key if no TPM was installed. Is this understanding incorrect?
In regards to the power, this is for a desktop system, so I'm assuming that even if it is in sleep mode, as soon as the power is pulled the key in memory would be lost until the PIN is reentered at boot-up. Is this correct?
thecoldanddarkone wrote:Pretty sure sleep keeps memory active, it would have to be a full hibernate or off.
Captain Ned wrote:I've told this before, but let's go back into Federal Agency X folklore. Agency X issues me a laptop so that I can perform duties and securely upload the results to Agency X. Said laptop has a BitLocker 10-digit PIN. Every single laptop issued by Agency X has the same 10-digit PIN. It's the phone number to their help desk.
Federal Agency X has serious IT security issues.
CScottG wrote:Of course TPM is vulnerable to the NSA, but I'd doubt if it was vulnerable to other agencies.
just brew it! wrote:CScottG wrote:Of course TPM is vulnerable to the NSA, but I'd doubt if it was vulnerable to other agencies.
I would not discount the FSB here.
apkellogg wrote:My understanding from reading how to set-up BitLocker on boot drives seem to imply the only way to use a PIN was to have a TPM module installed. If no TPM, a USB key could be used to store the key if no TPM was installed. Is this understanding incorrect?
In regards to the power, this is for a desktop system, so I'm assuming that even if it is in sleep mode, as soon as the power is pulled the key in memory would be lost until the PIN is reentered at boot-up. Is this correct?