TPM Usage
TPM Usage
This section details how to enable, disable, and enhance TPM support for Matrix42 Full Disk Encryption.
TPM administration module (attended mode)
This section details how to manually perform TPM-related tasks on an Matrix42 Full Disk Encryption installation. Follow these steps to perform manual TPM-related tasks in Matrix42 FDE:
- Open the Windows Control Panel and double-click the Matrix42 Full Disk Encryption icon.
- The Full Disk Encryption Control Center appears:
- Double-click the TPM Administration module, enter the Matrix42 FDE administration password when prompted, and click OK.
- If the TPM chip is not ready for Matrix42 FDE, the following dialog appears. Please make sure that you have fulfilled the requirements as stated in chapter 3.1. Restart the TPM installation once the TPM chip is correctly initialized.
- The TPM Administration dialog appears. The TPM vendor is displayed in the Hardware Model field at the top of the dialog. The following options are available:
Option | Description |
---|---|
TPM protection will be activated during next boot |
Check this option to enable/disable TPM support. |
Generate… |
Generate a TPM key file for emergency recovery purposes and safe storage. This key file will allow the data on a hard disk to be transferred from one computer to another to be authenticated by the new TPM (see Import below). NOTE: A filename extension is optional (it has no effect on the functionality). |
Import… |
Import a TPM key file so that a hard disk (previously encrypted by another TPM) can be recognized by this TPM chip. |
Delete… |
Delete a selected key from the list. |
Verify all keys |
Verify that keys loaded onto this computer can be used by this TPM chip. This should prevent an administrator from deleting keys that apply to the local installation. |
- Click OK to close the TPMAdmin dialog.
- Once the TPM is activated, the TPM administration dialog should look like this:
Remote TPM functionality (unattended mode)
Follow these steps to silently enable TPM support in Matrix42 Full Disk Encryption:
- Open a command prompt (administrator privileges are required for this task).
- Navigate to the executable used for TPM tasks (TPMAdmin.exe) located under: C:\Windows\NAC\
The following parameters are allowed:
TPMAdmin.exe [-password <admin Password>] [-generate <generated key file>] [-import <import key file>] [-activate] [-deactivate] [-h]
The parameters have the following function:
Syntax | Mandatory / Optional | Description |
---|---|---|
-h |
O |
Display the options listed here in the command prompt. |
-password <FS administration password> |
M (except for keyfile generation) |
The Matrix42 FDE administration password set during installation/initialization. |
-generate <generated key file> |
O |
Generate a TPM key file for emergency recovery purposes and safe storage. This will allow a hard disk to be transferred from one computer to another. NOTE: A filename extension is optional (it has no effect on the functionality). If a full path is not specified, then the key file will be saved to the same directory as the TPMAdmin module (C:\Windows\NAC\). |
-import <import key file> |
O |
Import a TPM key file so that a hard disk can be recognized by this TPM chip. NOTE: This must include the full path to the key file. |
-activate |
O |
Activate TPM functionality. NOTE: Remember, the activation requires a reboot for the full functionality to become active. |
-deactivate |
O |
Disable TPM functionality. |
Examples
- To enable the TPM:
TPMAdmin.exe -password 12345678 -activate
- To disable the TPM:
TPMAdmin.exe -password 12345678 -deactivate
- To generate a TPM key file:
TPMAdmin.exe -generate MATRIX42notebook01TPM
Or…
TPMAdmin.exe -generate MATRIX42notebook01TPM.keyfile
Or…
TPMAdmin.exe -generate N:\TPMbackup\MATRIX42notebook01TPM
- To import a TPM key file:
TPMAdmin.exe -password 12345678 -import N:\TPMbackup\MATRIX42notebook01TPM