TR Forums

I am currently in the process of putting together a new Coffee Lake based system and have a quick question. I am interested in purchasing a TPM module for my chosen motherboard (encryption of hard drives including boot drive), however I am unable to find the module for sale anywhere. My questions is this, is there any actual benefit to having a TPM module or is this something I should give up on. Thank you for any advice!

A TPM is required for some full disk encryption software (Bitlocker being the most notable). The is also other encryption software out there that does not require a TPM (Veracrypt being the most notable).

You would need to provide your chosen motherboard/manufacturer to find a compatible TPM - as they are specific to manufacturer. But here are links for Gigabyte and Asus modules (and we would have to check to see if the motherboard you are thinking of accepts them):
https://www.amazon.com/Gigabyte-GC-TPM- ... B00U07T0UE
https://www.amazon.com/ASRock-bitlocker ... B00ZHIKGSG

mattshwink wrote:

A TPM is required for some full disk encryption software (Bitlocker being the most notable). The is also other encryption software out there that does not require a TPM (Veracrypt being the most notable).

You would need to provide your chosen motherboard/manufacturer to find a compatible TPM - as they are specific to manufacturer. But here are links for Gigabyte and Asus modules (and we would have to check to see if the motherboard you are thinking of accepts them):
https://www.amazon.com/Gigabyte-GC-TPM- ... B00U07T0UE
https://www.amazon.com/ASRock-bitlocker ... B00ZHIKGSG

I am currently looking at the Gigabyte Z370 HD3P motherboard, which used a new 6x2 pin out. The only gigabyte tpm module I can find is the one you linked to, which is not compatible.

Then you need this: https://www.amazon.com/Gigabyte-Accesso ... B01G97X6T4

Are you installing Windows 10 and planning on using Bitlocker (or other whole disk encryption software?) If so then you should get this. If not, then it doesn't do anything for you.

mattshwink wrote:

Then you need this: https://www.amazon.com/Gigabyte-Accesso ... B01G97X6T4

Are you installing Windows 10 and planning on using Bitlocker (or other whole disk encryption software?) If so then you should get this. If not, then it doesn't do anything for you.

Yes, the plan is Windows 10 with BitLocker on all drives. It’s hard to tell from the picture in your link, but it looks like the wrong pin count. Gigabyte’s website shows the module here, https://www.gigabyte.com/Motherboard/GC-TPM20_S#ov, I just can’t find it for sale anywhere.

So the reviews on that one some say yes and some say no.

Everyone else seems to have it out of stock or backorder (the Z370 is new):
http://www.tigerdirect.com/applications ... No=5935301
http://www.neobits.com/gigabyte_technol ... BAFBD.jvm1

mattshwink wrote:

So the reviews on that one some say yes and some say no.

Everyone else seems to have it out of stock or backorder (the Z370 is new):
http://www.tigerdirect.com/applications ... No=5935301
http://www.neobits.com/gigabyte_technol ... BAFBD.jvm1

Thank you for the links! I will keep an eye on them for availability.

Isn't it built into processors now? It is on Ryzen. I thought Intel had it as well.

apkellogg wrote:

I am currently in the process of putting together a new Coffee Lake based system and have a quick question. I am interested in purchasing a TPM module for my chosen motherboard (encryption of hard drives including boot drive), however I am unable to find the module for sale anywhere. My questions is this, is there any actual benefit to having a TPM module or is this something I should give up on. Thank you for any advice!

You should probably just see if your motherboard supports fTPM, ie. firmware implemented TPM 2.0.
I recently got an Apollo Lake system and was surprised to see that, without a TPM installed, Windows was claiming that Bitlocker was supported, which turned out to be the Intel PTT's fTPM.
You'll have to enable Intel Platform Trust Technology, which enables fTPM functionality. If you have a physical TPM, you can't use both at once.

apkellogg wrote:

My questions is this, is there any actual benefit to having a TPM module or is this something I should give up on. Thank you for any advice!

Far as I know there isn't really a need for it unless you are running apps that require secure key generation, security for running network apps over a corporate network, or software HDD encryption. Or extra layers of VM protection maybe. The thing is most SSDs (and I think HDDs) already offer hardware disk-level encryption option that is pretty strong, doesn't have an overhead penalty, and when properly implemented has yet to be defeated. An SSD with AES-256 encryption already has the hardware processor and crypto-key on the drive itself for full disk encryption.

if you really want a TPM chip most ASUS Z370 board models have a 14-pin TPM header that I am pretty sure matches this. That said I'd recommend a quick session with ASUS chat for confirmation first before you buy, because ASUS itself has made 2-3 generations of TPM chips using different pinouts.

The whole point of TPM/Bitlocker is to prevent old-school "enthusiasts" like me from using certain Linux-based live CD distros to directly edit the security files and either elevate privilege or to create a new user with admin privilege.

Captain Ned wrote:

The whole point of TPM/Bitlocker is to prevent old-school "enthusiasts" like me from using certain Linux-based live CD distros to directly edit the security files and either elevate privilege or to create a new user with admin privilege.

Well, my main point was to add a pre-boot passcode to prevent access to Windows instead of having a USB key attached to the computer at all times, but preventing your bit of fun works too!

TPMs are also required for Virtual Smart Card support.

https://technet.microsoft.com/en-us/library/dn593708(v=ws.11).aspx

Of course that's a very business oriented tool. Whole disk encryption on the other hand is great for all people.

apkellogg wrote:

Well, my main point was to add a pre-boot passcode to prevent access to Windows instead of having a USB key attached to the computer at all times

I've told this before, but let's go back into Federal Agency X folklore. Agency X issues me a laptop so that I can perform duties and securely upload the results to Agency X. Said laptop has a BitLocker 10-digit PIN. Every single laptop issued by Agency X has the same 10-digit PIN. It's the phone number to their help desk.

Federal Agency X has serious IT security issues.

Captain Ned wrote:

I've told this before, but let's go back into Federal Agency X folklore. Agency X issues me a laptop so that I can perform duties and securely upload the results to Agency X. Said laptop has a BitLocker 10-digit PIN. Every single laptop issued by Agency X has the same 10-digit PIN. It's the phone number to their help desk.

Federal Agency X has serious IT security issues.

Why would it not surprise me if it was the IRS.

Captain Ned wrote:

apkellogg wrote:

Well, my main point was to add a pre-boot passcode to prevent access to Windows instead of having a USB key attached to the computer at all times

I've told this before, but let's go back into Federal Agency X folklore. Agency X issues me a laptop so that I can perform duties and securely upload the results to Agency X. Said laptop has a BitLocker 10-digit PIN. Every single laptop issued by Agency X has the same 10-digit PIN. It's the phone number to their help desk.

Federal Agency X has serious IT security issues.

I wish this surprised me.

I've seen the "helpdesk phone as PIN" silliness before.

I've also seen password resets handled by setting the password to a fixed default value, at an organization which also enforced a policy that your password could not change more than once per day. So your account was stuck with the default password for an entire day.

Captain Ned wrote:

apkellogg wrote:

Well, my main point was to add a pre-boot passcode to prevent access to Windows instead of having a USB key attached to the computer at all times

I've told this before, but let's go back into Federal Agency X folklore. Agency X issues me a laptop so that I can perform duties and securely upload the results to Agency X. Said laptop has a BitLocker 10-digit PIN. Every single laptop issued by Agency X has the same 10-digit PIN. It's the phone number to their help desk.

Federal Agency X has serious IT security issues.

Just... wow. Why do they even bother with the hassle then.

Kougar wrote:

Captain Ned wrote:

apkellogg wrote:

Well, my main point was to add a pre-boot passcode to prevent access to Windows instead of having a USB key attached to the computer at all times

I've told this before, but let's go back into Federal Agency X folklore. Agency X issues me a laptop so that I can perform duties and securely upload the results to Agency X. Said laptop has a BitLocker 10-digit PIN. Every single laptop issued by Agency X has the same 10-digit PIN. It's the phone number to their help desk.

Federal Agency X has serious IT security issues.

Just... wow. Why do they even bother with the hassle then.

Because a superior said they had to.

apkellogg wrote:

Well, my main point was to add a pre-boot passcode to prevent access to Windows instead of having a USB key attached to the computer at all times, but preventing your bit of fun works too!

I don't think that Bitlocker requires a TPM for a pre-boot passkey.

TPM's (Windows paradigm) are usually there to act as your pre-boot passkey, automatically providing the key out of memory to start your boot process (so you don't have to input a key).

You can of course ALSO use a pre-boot passkey along with a TPM for Bitlocker.


CAUTION: ANY required pre-boot passkey requires that the system be turned fully OFF to be secure from physical access (..though you can of course have it on - left at the pre-boot passkey request, though that seems wasteful). "Sleep" and "Reset" still have it in memory.

Note: you can do the same thing with a self-encrypting drive for your boot drive if you've set it for a pre-boot passkey requirement (..and SSD's should have this feature, though always check first).

CScottG wrote:

ANY required pre-boot passkey requires that the system be turned fully OFF to be secure from physical access

That makes sense, since once the system is booted it has access to the (unencrypted) contents of the drive. So any exploit that compromises the security of the running OS potentially gives the attacker access to the drive contents.

CScottG wrote:

I don't think that Bitlocker requires a TPM for a pre-boot passkey.

TPM's (Windows paradigm) are usually there to act as your pre-boot passkey, automatically providing the key out of memory to start your boot process (so you don't have to input a key).

You can of course ALSO use a pre-boot passkey along with a TPM for Bitlocker.


CAUTION: ANY required pre-boot passkey requires that the system be turned fully OFF to be secure from physical access (..though you can of course have it on - left at the pre-boot passkey request, though that seems wasteful). "Sleep" and "Reset" still have it in memory.

Note: you can do the same thing with a self-encrypting drive for your boot drive if you've set it for a pre-boot passkey requirement (..and SSD's should have this feature, though always check first).

My understanding from reading how to set-up BitLocker on boot drives seem to imply the only way to use a PIN was to have a TPM module installed. If no TPM, a USB key could be used to store the key if no TPM was installed. Is this understanding incorrect?

In regards to the power, this is for a desktop system, so I'm assuming that even if it is in sleep mode, as soon as the power is pulled the key in memory would be lost until the PIN is reentered at boot-up. Is this correct?

Pretty sure sleep keeps memory active, it would have to be a full hibernate or off.

apkellogg wrote:

My understanding from reading how to set-up BitLocker on boot drives seem to imply the only way to use a PIN was to have a TPM module installed. If no TPM, a USB key could be used to store the key if no TPM was installed. Is this understanding incorrect?

In regards to the power, this is for a desktop system, so I'm assuming that even if it is in sleep mode, as soon as the power is pulled the key in memory would be lost until the PIN is reentered at boot-up. Is this correct?

https://www.howtogeek.com/howto/6229/ho ... thout-tpm/


..by "power..pulled" if you mean full shutdown (or hitting the power button on your system with a resulting full "off" state, or simply switching off the power supply or pulling the power supply's power cord), then yes.

thecoldanddarkone wrote:

Pretty sure sleep keeps memory active, it would have to be a full hibernate or off.

-it has to be OFF to fully purge memory.

Captain Ned wrote:

I've told this before, but let's go back into Federal Agency X folklore. Agency X issues me a laptop so that I can perform duties and securely upload the results to Agency X. Said laptop has a BitLocker 10-digit PIN. Every single laptop issued by Agency X has the same 10-digit PIN. It's the phone number to their help desk.

Federal Agency X has serious IT security issues.

..with a properly setup UEFI and Secure Boot + TPM and Bitlocker.. maybe not, at least with respect to altering the OS bootloader to gain control of the computer.


The pre-boot key (be it password or a "USB key" or both) really only performs the function of *allowing* the encryption key to be loaded in memory during it's process.

Bitlocker with the above correctly configured UEFI/Secure Boot/TPM/Bitlocker - still goes through its process (moving onto Microsoft's "Trusted Boot" from UEFI's Secure Boot), it's just that you've added an extra "gate" in the form of a required password/USB key. *(..this is like a sed-drive's passkey, except with the unfortunate consequence of the key having the ability to be loaded into system memory instead of a sed-drive's on-chip platform.)

..of course all of this assumes that the UEFI/Secure Boot/TPM/Bitlocker is properly setup.. and that's a BIG assumption (..particularly when it comes to Secure Boot).

-so yeah, maybe it's exactly the scenario you've mentioned.

Of course TPM is vulnerable to the NSA, but I'd doubt if it was vulnerable to other agencies. (..and the NSA isn't really interested in providing backdoor access to other agencies like the FBI.)


Here is infosecs info. on it:

http://resources.infosecinstitute.com/uefi-and-tpm-2/



The TPM for the motherboard in question is this one:
https://www.gigabyte.com/Motherboard/GC-TPM20_S#ov

The only sales listing I found for this particular TPM (the "S" version) is this one that does NOT have it in stock:
http://www.tigerdirect.com/applications ... No=5935301




*Note that IF you are going to the trouble of pre-boot passkey w/out a TPM (and a passkey that only you know), that the sed-drive is a superior solution.. so long as you fully turn off the computer when you are away from it. Additionally, as far as legality is concerned w/ respect to the requirement to divulge the key - you are best off with an input passkey, NOT a USB key (..or better still, an input key and USB key if that's an option). A favorite little-known book passage is typically a good input passkey (up to the limit of the sed-drive).

CScottG wrote:

Of course TPM is vulnerable to the NSA, but I'd doubt if it was vulnerable to other agencies.

I would not discount the FSB here.

just brew it! wrote:

CScottG wrote:

Of course TPM is vulnerable to the NSA, but I'd doubt if it was vulnerable to other agencies.

I would not discount the FSB here.

Other *US* agencies..

I'm not sure it is though to any other country's security dept.. that would defeat the NSA's purpose (..though I'm pretty sure that GCHQ is an extension of the NSA to circumvent privacy law here and in the UK; ie. we monitor all of the UK and the UK monitors all of the US - on servers we secretly supply no less.)

HOWEVER, I'm quite sure that Microsoft has varying versions of "Trusted Boot" based on geo-data with backdoor access for various country's national security agency - including the FSB. Yet another reason for the "rolling release" paradigm of Windows 10. You know, *10* because its the BEST WINDOWS EVERRRRRRRRRRRRRRRRRR! (..too many RRR's?)


Of course the FSB (and anyone else) might also have snooker'ed in some backdoor to the bios.

Remember, you need to update your bios with a file we(..MB-manufacturer) have on our website to have all the updates you *need*.
What could possibly go wrong there?

I figure the NSA/FSB/Chinese already have everything they need to steal my identity and hack into my online accounts, if they haven't already done so. My "protection" is that I am a low-value target... especially given that I no longer work in the defense sector (which would make me much more attractive to the FSB/Chinese).

apkellogg wrote:

My understanding from reading how to set-up BitLocker on boot drives seem to imply the only way to use a PIN was to have a TPM module installed. If no TPM, a USB key could be used to store the key if no TPM was installed. Is this understanding incorrect?

In regards to the power, this is for a desktop system, so I'm assuming that even if it is in sleep mode, as soon as the power is pulled the key in memory would be lost until the PIN is reentered at boot-up. Is this correct?

The TPM is used to verify the pre-boot environment is trustable, ie. it is not actually some nefarious keylogger pretending to be the PIN entry screen. That's why TPM+PIN is ok, but noTPM+PIN isn't allowed. USB circumvents this attack vector, but it's pretty inconvenient.

I still think you should consider seeing if you can use Intel PTT / firmware TPM 2.0 for BitLocker before shelling out money for a (physical) TPM. I think it's supported on Skylake and newer, but according to https://www.intel.com/content/www/us/en ... oards.html it may be supported on earlier boards.