Personal computing discussed

Moderator: JustAnEngineer

 
apkellogg
Gerbil Elite
Topic Author
Posts: 954
Joined: Wed Feb 25, 2004 10:15 am

TPM for a new system?

Tue Oct 10, 2017 4:12 pm

I am currently in the process of putting together a new Coffee Lake based system and have a quick question. I am interested in purchasing a TPM module for my chosen motherboard (encryption of hard drives including boot drive), however I am unable to find the module for sale anywhere. My questions is this, is there any actual benefit to having a TPM module or is this something I should give up on. Thank you for any advice!
 
mattshwink
Gerbil First Class
Posts: 178
Joined: Wed Jul 16, 2008 7:54 am
Location: Alexandria, VA

Re: TPM for a new system?

Tue Oct 10, 2017 5:01 pm

A TPM is required for some full disk encryption software (Bitlocker being the most notable). The is also other encryption software out there that does not require a TPM (Veracrypt being the most notable).

You would need to provide your chosen motherboard/manufacturer to find a compatible TPM - as they are specific to manufacturer. But here are links for Gigabyte and Asus modules (and we would have to check to see if the motherboard you are thinking of accepts them):
https://www.amazon.com/Gigabyte-GC-TPM- ... B00U07T0UE
https://www.amazon.com/ASRock-bitlocker ... B00ZHIKGSG
 
apkellogg
Gerbil Elite
Topic Author
Posts: 954
Joined: Wed Feb 25, 2004 10:15 am

Re: TPM for a new system?

Tue Oct 10, 2017 5:13 pm

mattshwink wrote:
A TPM is required for some full disk encryption software (Bitlocker being the most notable). The is also other encryption software out there that does not require a TPM (Veracrypt being the most notable).

You would need to provide your chosen motherboard/manufacturer to find a compatible TPM - as they are specific to manufacturer. But here are links for Gigabyte and Asus modules (and we would have to check to see if the motherboard you are thinking of accepts them):
https://www.amazon.com/Gigabyte-GC-TPM- ... B00U07T0UE
https://www.amazon.com/ASRock-bitlocker ... B00ZHIKGSG

I am currently looking at the Gigabyte Z370 HD3P motherboard, which used a new 6x2 pin out. The only gigabyte tpm module I can find is the one you linked to, which is not compatible.
 
mattshwink
Gerbil First Class
Posts: 178
Joined: Wed Jul 16, 2008 7:54 am
Location: Alexandria, VA

Re: TPM for a new system?

Tue Oct 10, 2017 7:36 pm

Then you need this: https://www.amazon.com/Gigabyte-Accesso ... B01G97X6T4

Are you installing Windows 10 and planning on using Bitlocker (or other whole disk encryption software?) If so then you should get this. If not, then it doesn't do anything for you.
 
apkellogg
Gerbil Elite
Topic Author
Posts: 954
Joined: Wed Feb 25, 2004 10:15 am

Re: TPM for a new system?

Tue Oct 10, 2017 8:02 pm

mattshwink wrote:
Then you need this: https://www.amazon.com/Gigabyte-Accesso ... B01G97X6T4

Are you installing Windows 10 and planning on using Bitlocker (or other whole disk encryption software?) If so then you should get this. If not, then it doesn't do anything for you.


Yes, the plan is Windows 10 with BitLocker on all drives. It’s hard to tell from the picture in your link, but it looks like the wrong pin count. Gigabyte’s website shows the module here, https://www.gigabyte.com/Motherboard/GC-TPM20_S#ov, I just can’t find it for sale anywhere.
 
mattshwink
Gerbil First Class
Posts: 178
Joined: Wed Jul 16, 2008 7:54 am
Location: Alexandria, VA

Re: TPM for a new system?

Tue Oct 10, 2017 8:51 pm

So the reviews on that one some say yes and some say no.

Everyone else seems to have it out of stock or backorder (the Z370 is new):
http://www.tigerdirect.com/applications ... No=5935301
http://www.neobits.com/gigabyte_technol ... BAFBD.jvm1
 
apkellogg
Gerbil Elite
Topic Author
Posts: 954
Joined: Wed Feb 25, 2004 10:15 am

Re: TPM for a new system?

Tue Oct 10, 2017 9:04 pm

mattshwink wrote:
So the reviews on that one some say yes and some say no.

Everyone else seems to have it out of stock or backorder (the Z370 is new):
http://www.tigerdirect.com/applications ... No=5935301
http://www.neobits.com/gigabyte_technol ... BAFBD.jvm1

Thank you for the links! I will keep an eye on them for availability.
 
LostCat
Gerbil Jedi
Posts: 1774
Joined: Thu Aug 26, 2004 6:18 am
Location: Alphanumeric symbols.

Re: TPM for a new system?

Tue Oct 10, 2017 9:28 pm

Isn't it built into processors now? It is on Ryzen. I thought Intel had it as well.
And now I'm no longer primarily a PC gamer. *shrug*
 
shizuka
Gerbil
Posts: 18
Joined: Sun Sep 09, 2012 4:41 pm

Re: TPM for a new system?

Tue Oct 10, 2017 11:51 pm

apkellogg wrote:
I am currently in the process of putting together a new Coffee Lake based system and have a quick question. I am interested in purchasing a TPM module for my chosen motherboard (encryption of hard drives including boot drive), however I am unable to find the module for sale anywhere. My questions is this, is there any actual benefit to having a TPM module or is this something I should give up on. Thank you for any advice!


You should probably just see if your motherboard supports fTPM, ie. firmware implemented TPM 2.0.
I recently got an Apollo Lake system and was surprised to see that, without a TPM installed, Windows was claiming that Bitlocker was supported, which turned out to be the Intel PTT's fTPM.
You'll have to enable Intel Platform Trust Technology, which enables fTPM functionality. If you have a physical TPM, you can't use both at once.
 
Kougar
Silver subscriber
Gerbil Jedi
Posts: 1979
Joined: Tue Dec 02, 2008 2:12 am
Location: Texas

Re: TPM for a new system?

Wed Oct 11, 2017 4:12 pm

apkellogg wrote:
My questions is this, is there any actual benefit to having a TPM module or is this something I should give up on. Thank you for any advice!


Far as I know there isn't really a need for it unless you are running apps that require secure key generation, security for running network apps over a corporate network, or software HDD encryption. Or extra layers of VM protection maybe. The thing is most SSDs (and I think HDDs) already offer hardware disk-level encryption option that is pretty strong, doesn't have an overhead penalty, and when properly implemented has yet to be defeated. An SSD with AES-256 encryption already has the hardware processor and crypto-key on the drive itself for full disk encryption.

if you really want a TPM chip most ASUS Z370 board models have a 14-pin TPM header that I am pretty sure matches this. That said I'd recommend a quick session with ASUS chat for confirmation first before you buy, because ASUS itself has made 2-3 generations of TPM chips using different pinouts.
 
Captain Ned
Gold subscriber
Global Moderator
Posts: 26386
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: TPM for a new system?

Wed Oct 11, 2017 4:22 pm

The whole point of TPM/Bitlocker is to prevent old-school "enthusiasts" like me from using certain Linux-based live CD distros to directly edit the security files and either elevate privilege or to create a new user with admin privilege.
If the Earth were flat, cats would have pushed everything off of it by now.
 
apkellogg
Gerbil Elite
Topic Author
Posts: 954
Joined: Wed Feb 25, 2004 10:15 am

Re: TPM for a new system?

Wed Oct 11, 2017 5:32 pm

Captain Ned wrote:
The whole point of TPM/Bitlocker is to prevent old-school "enthusiasts" like me from using certain Linux-based live CD distros to directly edit the security files and either elevate privilege or to create a new user with admin privilege.


Well, my main point was to add a pre-boot passcode to prevent access to Windows instead of having a USB key attached to the computer at all times, but preventing your bit of fun works too!
 
Ryu Connor
Gold subscriber
Global Moderator
Posts: 4209
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA
Contact:

Re: TPM for a new system?

Wed Oct 11, 2017 5:42 pm

TPMs are also required for Virtual Smart Card support.

https://technet.microsoft.com/en-us/library/dn593708(v=ws.11).aspx

Of course that's a very business oriented tool. Whole disk encryption on the other hand is great for all people.
All of my written content here on TR does not represent or reflect the views of my employer or any reasonable human being. All content and actions are my own.
 
Captain Ned
Gold subscriber
Global Moderator
Posts: 26386
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: TPM for a new system?

Wed Oct 11, 2017 5:42 pm

apkellogg wrote:
Well, my main point was to add a pre-boot passcode to prevent access to Windows instead of having a USB key attached to the computer at all times

I've told this before, but let's go back into Federal Agency X folklore. Agency X issues me a laptop so that I can perform duties and securely upload the results to Agency X. Said laptop has a BitLocker 10-digit PIN. Every single laptop issued by Agency X has the same 10-digit PIN. It's the phone number to their help desk.

Federal Agency X has serious IT security issues.
If the Earth were flat, cats would have pushed everything off of it by now.
 
apkellogg
Gerbil Elite
Topic Author
Posts: 954
Joined: Wed Feb 25, 2004 10:15 am

Re: TPM for a new system?

Wed Oct 11, 2017 5:48 pm

Captain Ned wrote:
I've told this before, but let's go back into Federal Agency X folklore. Agency X issues me a laptop so that I can perform duties and securely upload the results to Agency X. Said laptop has a BitLocker 10-digit PIN. Every single laptop issued by Agency X has the same 10-digit PIN. It's the phone number to their help desk.

Federal Agency X has serious IT security issues.

:o :o :o
Why would it not surprise me if it was the IRS.
 
thecoldanddarkone
Minister of Gerbil Affairs
Posts: 2349
Joined: Wed Mar 26, 2003 4:35 pm

Re: TPM for a new system?

Wed Oct 11, 2017 5:54 pm

Captain Ned wrote:
apkellogg wrote:
Well, my main point was to add a pre-boot passcode to prevent access to Windows instead of having a USB key attached to the computer at all times

I've told this before, but let's go back into Federal Agency X folklore. Agency X issues me a laptop so that I can perform duties and securely upload the results to Agency X. Said laptop has a BitLocker 10-digit PIN. Every single laptop issued by Agency X has the same 10-digit PIN. It's the phone number to their help desk.

Federal Agency X has serious IT security issues.


I wish this surprised me.
I7 4930k, 32 GB Ballistix DDRL3@2133 , 1.2 TB Intel 750 AIC, 500 GB mx200, Sapphire R9 Fury, asus x79 ws, HP ZR24w, edifier s730
HP Pro x2 612- i5-4302Y, 8 gigs of memory, 256 ssd
 
just brew it!
Gold subscriber
Administrator
Posts: 49328
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: TPM for a new system?

Wed Oct 11, 2017 6:17 pm

I've seen the "helpdesk phone as PIN" silliness before.

I've also seen password resets handled by setting the password to a fixed default value, at an organization which also enforced a policy that your password could not change more than once per day. So your account was stuck with the default password for an entire day.
Nostalgia isn't what it used to be.
 
Kougar
Silver subscriber
Gerbil Jedi
Posts: 1979
Joined: Tue Dec 02, 2008 2:12 am
Location: Texas

Re: TPM for a new system?

Wed Oct 11, 2017 6:35 pm

Captain Ned wrote:
apkellogg wrote:
Well, my main point was to add a pre-boot passcode to prevent access to Windows instead of having a USB key attached to the computer at all times

I've told this before, but let's go back into Federal Agency X folklore. Agency X issues me a laptop so that I can perform duties and securely upload the results to Agency X. Said laptop has a BitLocker 10-digit PIN. Every single laptop issued by Agency X has the same 10-digit PIN. It's the phone number to their help desk.

Federal Agency X has serious IT security issues.


Just... wow. Why do they even bother with the hassle then.
 
bthylafh
Grand Gerbil Poohbah
Posts: 3893
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: TPM for a new system?

Wed Oct 11, 2017 7:07 pm

Kougar wrote:
Captain Ned wrote:
apkellogg wrote:
Well, my main point was to add a pre-boot passcode to prevent access to Windows instead of having a USB key attached to the computer at all times

I've told this before, but let's go back into Federal Agency X folklore. Agency X issues me a laptop so that I can perform duties and securely upload the results to Agency X. Said laptop has a BitLocker 10-digit PIN. Every single laptop issued by Agency X has the same 10-digit PIN. It's the phone number to their help desk.

Federal Agency X has serious IT security issues.


Just... wow. Why do they even bother with the hassle then.


Because a superior said they had to.
Hakkaa päälle!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|SanDisk Ultra II 480GB|1988 Model M|Saitek X-45|Logitech MX 518 & F310|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
 
CScottG
Gerbil Elite
Posts: 926
Joined: Fri Dec 01, 2006 9:53 pm

Re: TPM for a new system?

Wed Oct 11, 2017 11:47 pm

apkellogg wrote:
Well, my main point was to add a pre-boot passcode to prevent access to Windows instead of having a USB key attached to the computer at all times, but preventing your bit of fun works too!


I don't think that Bitlocker requires a TPM for a pre-boot passkey.

TPM's (Windows paradigm) are usually there to act as your pre-boot passkey, automatically providing the key out of memory to start your boot process (so you don't have to input a key).

You can of course ALSO use a pre-boot passkey along with a TPM for Bitlocker.


CAUTION: ANY required pre-boot passkey requires that the system be turned fully OFF to be secure from physical access (..though you can of course have it on - left at the pre-boot passkey request, though that seems wasteful). "Sleep" and "Reset" still have it in memory.

Note: you can do the same thing with a self-encrypting drive for your boot drive if you've set it for a pre-boot passkey requirement (..and SSD's should have this feature, though always check first).
 
just brew it!
Gold subscriber
Administrator
Posts: 49328
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: TPM for a new system?

Thu Oct 12, 2017 3:51 am

CScottG wrote:
ANY required pre-boot passkey requires that the system be turned fully OFF to be secure from physical access

That makes sense, since once the system is booted it has access to the (unencrypted) contents of the drive. So any exploit that compromises the security of the running OS potentially gives the attacker access to the drive contents.
Nostalgia isn't what it used to be.
 
apkellogg
Gerbil Elite
Topic Author
Posts: 954
Joined: Wed Feb 25, 2004 10:15 am

Re: TPM for a new system?

Thu Oct 12, 2017 9:30 am

CScottG wrote:
I don't think that Bitlocker requires a TPM for a pre-boot passkey.

TPM's (Windows paradigm) are usually there to act as your pre-boot passkey, automatically providing the key out of memory to start your boot process (so you don't have to input a key).

You can of course ALSO use a pre-boot passkey along with a TPM for Bitlocker.


CAUTION: ANY required pre-boot passkey requires that the system be turned fully OFF to be secure from physical access (..though you can of course have it on - left at the pre-boot passkey request, though that seems wasteful). "Sleep" and "Reset" still have it in memory.

Note: you can do the same thing with a self-encrypting drive for your boot drive if you've set it for a pre-boot passkey requirement (..and SSD's should have this feature, though always check first).

My understanding from reading how to set-up BitLocker on boot drives seem to imply the only way to use a PIN was to have a TPM module installed. If no TPM, a USB key could be used to store the key if no TPM was installed. Is this understanding incorrect?

In regards to the power, this is for a desktop system, so I'm assuming that even if it is in sleep mode, as soon as the power is pulled the key in memory would be lost until the PIN is reentered at boot-up. Is this correct?
 
thecoldanddarkone
Minister of Gerbil Affairs
Posts: 2349
Joined: Wed Mar 26, 2003 4:35 pm

Re: TPM for a new system?

Thu Oct 12, 2017 11:17 am

Pretty sure sleep keeps memory active, it would have to be a full hibernate or off.
I7 4930k, 32 GB Ballistix DDRL3@2133 , 1.2 TB Intel 750 AIC, 500 GB mx200, Sapphire R9 Fury, asus x79 ws, HP ZR24w, edifier s730
HP Pro x2 612- i5-4302Y, 8 gigs of memory, 256 ssd
 
CScottG
Gerbil Elite
Posts: 926
Joined: Fri Dec 01, 2006 9:53 pm

Re: TPM for a new system?

Thu Oct 12, 2017 4:34 pm

apkellogg wrote:
My understanding from reading how to set-up BitLocker on boot drives seem to imply the only way to use a PIN was to have a TPM module installed. If no TPM, a USB key could be used to store the key if no TPM was installed. Is this understanding incorrect?

In regards to the power, this is for a desktop system, so I'm assuming that even if it is in sleep mode, as soon as the power is pulled the key in memory would be lost until the PIN is reentered at boot-up. Is this correct?


https://www.howtogeek.com/howto/6229/ho ... thout-tpm/


..by "power..pulled" if you mean full shutdown (or hitting the power button on your system with a resulting full "off" state, or simply switching off the power supply or pulling the power supply's power cord), then yes.
 
CScottG
Gerbil Elite
Posts: 926
Joined: Fri Dec 01, 2006 9:53 pm

Re: TPM for a new system?

Thu Oct 12, 2017 4:36 pm

thecoldanddarkone wrote:
Pretty sure sleep keeps memory active, it would have to be a full hibernate or off.


-it has to be OFF to fully purge memory.
 
CScottG
Gerbil Elite
Posts: 926
Joined: Fri Dec 01, 2006 9:53 pm

Re: TPM for a new system?

Sat Oct 14, 2017 2:48 pm

Captain Ned wrote:
I've told this before, but let's go back into Federal Agency X folklore. Agency X issues me a laptop so that I can perform duties and securely upload the results to Agency X. Said laptop has a BitLocker 10-digit PIN. Every single laptop issued by Agency X has the same 10-digit PIN. It's the phone number to their help desk.

Federal Agency X has serious IT security issues.



..with a properly setup UEFI and Secure Boot + TPM and Bitlocker.. maybe not, at least with respect to altering the OS bootloader to gain control of the computer.


The pre-boot key (be it password or a "USB key" or both) really only performs the function of *allowing* the encryption key to be loaded in memory during it's process.

Bitlocker with the above correctly configured UEFI/Secure Boot/TPM/Bitlocker - still goes through its process (moving onto Microsoft's "Trusted Boot" from UEFI's Secure Boot), it's just that you've added an extra "gate" in the form of a required password/USB key. *(..this is like a sed-drive's passkey, except with the unfortunate consequence of the key having the ability to be loaded into system memory instead of a sed-drive's on-chip platform.)

..of course all of this assumes that the UEFI/Secure Boot/TPM/Bitlocker is properly setup.. and that's a BIG assumption (..particularly when it comes to Secure Boot).

-so yeah, maybe it's exactly the scenario you've mentioned. :o :lol:

Of course TPM is vulnerable to the NSA, but I'd doubt if it was vulnerable to other agencies. (..and the NSA isn't really interested in providing backdoor access to other agencies like the FBI.)


Here is infosecs info. on it:

http://resources.infosecinstitute.com/uefi-and-tpm-2/



The TPM for the motherboard in question is this one:
https://www.gigabyte.com/Motherboard/GC-TPM20_S#ov

The only sales listing I found for this particular TPM (the "S" version) is this one that does NOT have it in stock:
http://www.tigerdirect.com/applications ... No=5935301




*Note that IF you are going to the trouble of pre-boot passkey w/out a TPM (and a passkey that only you know), that the sed-drive is a superior solution.. so long as you fully turn off the computer when you are away from it. Additionally, as far as legality is concerned w/ respect to the requirement to divulge the key - you are best off with an input passkey, NOT a USB key (..or better still, an input key and USB key if that's an option). A favorite little-known book passage is typically a good input passkey (up to the limit of the sed-drive).
 
just brew it!
Gold subscriber
Administrator
Posts: 49328
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: TPM for a new system?

Sat Oct 14, 2017 3:04 pm

CScottG wrote:
Of course TPM is vulnerable to the NSA, but I'd doubt if it was vulnerable to other agencies.

I would not discount the FSB here.
Nostalgia isn't what it used to be.
 
CScottG
Gerbil Elite
Posts: 926
Joined: Fri Dec 01, 2006 9:53 pm

Re: TPM for a new system?

Sat Oct 14, 2017 3:57 pm

just brew it! wrote:
CScottG wrote:
Of course TPM is vulnerable to the NSA, but I'd doubt if it was vulnerable to other agencies.

I would not discount the FSB here.



Other *US* agencies.. :P :lol:

I'm not sure it is though to any other country's security dept.. that would defeat the NSA's purpose (..though I'm pretty sure that GCHQ is an extension of the NSA to circumvent privacy law here and in the UK; ie. we monitor all of the UK and the UK monitors all of the US - on servers we secretly supply no less.)

HOWEVER, I'm quite sure that Microsoft has varying versions of "Trusted Boot" based on geo-data with backdoor access for various country's national security agency - including the FSB. Yet another reason for the "rolling release" paradigm of Windows 10. You know, *10* because its the BEST WINDOWS EVERRRRRRRRRRRRRRRRRR! (..too many RRR's?) :lol:


Of course the FSB (and anyone else) might also have snooker'ed in some backdoor to the bios. :o

Remember, you need to update your bios with a file we(..MB-manufacturer) have on our website to have all the updates you *need*.
What could possibly go wrong there? :roll: :P
 
just brew it!
Gold subscriber
Administrator
Posts: 49328
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: TPM for a new system?

Sat Oct 14, 2017 4:42 pm

I figure the NSA/FSB/Chinese already have everything they need to steal my identity and hack into my online accounts, if they haven't already done so. My "protection" is that I am a low-value target... especially given that I no longer work in the defense sector (which would make me much more attractive to the FSB/Chinese).
Nostalgia isn't what it used to be.
 
shizuka
Gerbil
Posts: 18
Joined: Sun Sep 09, 2012 4:41 pm

Re: TPM for a new system?

Sat Oct 14, 2017 4:47 pm

apkellogg wrote:
My understanding from reading how to set-up BitLocker on boot drives seem to imply the only way to use a PIN was to have a TPM module installed. If no TPM, a USB key could be used to store the key if no TPM was installed. Is this understanding incorrect?

In regards to the power, this is for a desktop system, so I'm assuming that even if it is in sleep mode, as soon as the power is pulled the key in memory would be lost until the PIN is reentered at boot-up. Is this correct?


The TPM is used to verify the pre-boot environment is trustable, ie. it is not actually some nefarious keylogger pretending to be the PIN entry screen. That's why TPM+PIN is ok, but noTPM+PIN isn't allowed. USB circumvents this attack vector, but it's pretty inconvenient.

I still think you should consider seeing if you can use Intel PTT / firmware TPM 2.0 for BitLocker before shelling out money for a (physical) TPM. I think it's supported on Skylake and newer, but according to https://www.intel.com/content/www/us/en ... oards.html it may be supported on earlier boards.

Who is online

Users browsing this forum: No registered users and 7 guests