Trusted Platform Module cryptochip explained

Trusted Platform Module hardware contains a built-in chip with cryptographic capabilities able to perform RSA 2048 bit public key encryption and decryption with its own internal hardware engine for SHA-1 hashing, the private encryption keys are created within the TPM chip and never exposed to outside elements, TPM chips are usually found in high end notebooks, many of the of laptops using a fingerprint reader to login are linked to the motherboard’s TPM security chip.

A Trusted Platform Module chip stores digital certificates some of which are file encryption and login authentication keys, the data can only be decrypted by the TPM chip itself, one of the requirements for a notebook to contain a TPM chip is that the chip has been permanently attached by soldering it down to the motherboard, tampering mechanisms, e.g. tampering proof tape, are recommended but not mandatory.

A TPM chip can optionally forge a key tied up to specific computer hardware, aka “sealing” a key, by creating a snapshop of the computer values and hashing them (aka checksum), where a TPM sealed key exists, every time the computer boots file hashes are compared and if they do not match the computer will not boot, removing the hard drive from the device and plugin it in somewhere else will make it unbootable.

Trusted Platform Module encryption diagram

Trusted Platform Module encryption diagram

How to enable a TPM security chip

Not all computers have a TPM chip, it is normally found in enterprise level laptops, most of them come with the Trusted Platform Module chip disabled by default, you will need to enable it in the BIOS.

To enter the BIOS click onĀ Del or F2 (depending on BIOS brand) while rebooting the computer, the TPM chip settings are found under “Integrated Peripherals” or in a separate “Security Section” that some motherboards have, choose to enable it, save the BIOS settings and boot your operating system, you will now need to install the motherboard device driver for the TPM chip, the motherboard manufacturer provides you with it.

TPM chip security considerations

Full disk encryption software like Bitlocker and PGP Whole Disk Encryption can be used with a TPM chip, but some basic security measures must be taken, like establishing ownership of your TPM chip by setting up its own unique password totally independent of other passwords. Because the private encryption keys will be stored inside the TPM chip, if you replace the computer motherboard or reset it to factory settings you will no longer be able to access your fully encrypted operating system.

Embassy Trust Suite, a business security suite that comes with most Dell business computers and can implement full disk encryption, makes use of the TPM hardware chip to generate encryption keys.