TPM Overview
Overview Trusted Platform Module
TPM without PBA. TPM support is currently limited to the FDE component only. This means that that if you want to use this feature you cannot install the PBA. Doing so will result in a fatal error (blue screen). TPM support can only be used if the computer vendor fully supports on-board TPM chips in the BIOS. Please check this before proceeding with any installation.
Matrix42 security can be taken to a new level via the use of a TPM chip found on most business-oriented computers. Matrix42 Full Disk Encryption offers the following advantages when using the TPM chip:
- The hard disk Key Encryption Key (KEK) is encrypted through the TPM using an RSA key. This means that the hard disk cannot be removed and placed in another computer because the encryption used for the KEK is unique to the original TPM chip.
- ‘Disk Roaming’ can be achieved in an emergency scenario via the BartPE plug-in by temporarily deactivating the TPM. As an alternative you can add TPM key files from other computers to Matrix42 Full Disk Encryption so that a hard disk can be easily transported and used on a backup computer.
TPM support in Matrix42 Full Disk Encryption is based on encrypting the KEK using a unique TPM-based RSA key. With this key we encrypt the TPM secret. Both the RSA key and the encrypted TPM secret are stored in the Matrix42 partition – not in the TPM itself. The TPM secret protects the KEK wherever it is stored in the partition.
The TPM functionality can be tested during the TPM activation under Windows, but this test does not ensure that TPM access also functions correctly in the boot code or the PBA. To ensure that Matrix42 is robust, the activation under Windows only activates a self-initialization mode in which the KEK has yet to be encrypted and the real KEK-TPM protection is performed in the next boot process - after the TPM functions have been successfully called.
Requirements
For successful TPM operation, several requirements must be met before trying to enable TPM support in Matrix42 Full Disk Encryption:
- The TPM must be turned on and activated in the computer BIOS.
- The TPM must have an owner.
- The SRK protection for generating and loading a key must be the well-known secret.
- The TCG Software Stack (TSS) must be installed in Windows. Matrix42 Full Disk Encryption expects to find the TSS in one of the following:
- tsp.dll
- tsp1.dll
- as a COM object
Limitations
TPM support is currently limited to the FDE component only. This means that that if you want to use this feature you cannot install the PBA. Doing so will result in a fatal error (blue screen).
Tested systems
System | TPM Vendor | BIOS Access | Windows TSS |
---|---|---|---|
Toshiba Portege M400 (Notebook) |
Infineon |
Failed |
COM |
Fujitsu-Siemens Esprimo E 5616 (desktop) |
Infineon |
Successful |
COM |
DELL Latitute D620 (notebook) |
Broadcom |
Successful |
TSP.DLL |
DELL Optiplex (desktop) |
STMicroElectronics |
Successful |
TSP1 |
If your system does not appear in the list, it only means that such a combination has not yet been tested.