Windows 11 has suddenly drawn attention to a little-known type of hardware, a device that could be the cornerstone of the new operating system’s success. Meet TPM.
The purpose of this small crypto processor is to protect data (related to companies or individuals). TPM, Trusted Platform Module, and it’s hardware that’s been around for over a decade, and it’s purely a relatively modest device in size – normally a small processor chip whose task is to protect the data of the device concerned.
Given the prevalence of laptops and tablets, data protection is particularly important as such devices are more often misplaced or stolen.
Every lost laptop is a potential computer disaster, as such devices can often contain sensitive data – such as personnel information, financial data, or your secret plans to take over the world. This is what you prefer to keep to yourself.
This can be done with TPMs. Among other things, they can be used to generate and store encryption keys so that stray physical devices are not misused by unauthorized persons.
TPM in practice
Devices using TPM modules allow the user to secure the system in various ways. First of all, as a hardware-level first defense link that can secure the startup process before the OS takes over. In addition, the TPM can be used by any supported application that uses secure login or authentication. This could be, for example, DRM systems in Microsoft 365 software or logging in to specific domains.
How much the TPM chip is used depends on the manufacturer of the machine. Some manufacturers have a more extensive use than others, and in most cases you need to actively turn on security settings to keep your data safe. For example, it can be used to encrypt all or part of your hard drive; You can secure the use of email or VPN services and it’s good to have your device thrown out when it’s time so you don’t end up with confidential data freely accessible to others.
TPM is hard to beat
TPM-based encryption is extremely difficult to overcome. Data encrypted with the TPM chip cannot be read without the correct key and will not be affected by operating system exploits or other software-based attacks as these keys are handled independently by the TPM chip.
It is also not vulnerable to physical attacks. Devices with TPM turned on know when hardware is added or removed. This way you can configure the machine to refuse to run when it detects any cakes in the hardware.
You also cannot bypass encryption by removing the hard disk and plugging it into another machine, as TPM-based encryption can only be unlocked by the specific TPM chip that initially locks the hard disk.
Even extreme methods, such as powering up one TPM chip from one machine and inserting it into another, won’t work as the TPM chip is dependent on the device it was originally installed on.
Taken as a whole, this means that TPM modules can offer companies something very important: the certainty of (possibly) devices going wrong does not necessarily mean that data has fallen into the wrong hands.
TPM and Windows 11
Windows 11 was announced on June 24, and this included the relatively big surprise that TPM 2.0 support was required to use it. Given that TPM has historically been functionality for the enterprise market, it has been less common to find it on self-made and custom machines.
Turning on the TPM chip is a narrow topic for anyone who has played around with the BIOS a bit from time to time. Here you can turn on both physical TPM chips and functionality called fTPM (hardware is in the BIOS chip itself, rather than a separate chip). However, not all are equally technologically stable, and for many, this could mean: buy a physical TPM chip or buy a compatible Windows 11 PC.
Why Microsoft chose to enforce the TPM functionality when using Windows 11 is unclear, except for the security aspect. Some people feel that the TPM functionality makes it much more difficult to sell pirated variants of Microsoft software online.