Windows 10 devices now requires hardware encryption/TPM

[Frick]

Stolen from Sweclockers, but it's in swedish.

So from now on devices (OEM built) needs a TPM module. Relevant bit:

As of July 28, 2016, all new device models, lines or series must implement and be in compliance with the International Standard ISO/IEC 11889:2015 or the Trusted Computing Group TPM 2.0 Library and a component which implements the TPM 2.0 must be present and enabled by default from this effective date.

The following requirements must be met:

• All TPM configurations must comply with local laws and regulations.
• Firmware-based components that implement TPM capabilities must implement version 2.0 of the TPM specification.
• An EK certificate must either be pre-provisioned to the TPM by the hardware vendor or be capable of being retrieved by the device during the first boot experience.
• It must ship with SHA-256 PCR banks and implement PCRs 0 through 23 for SHA-256. Note that it is acceptable to ship TPMs with a single switchable PCR bank that can be utilized for SHA-256 measurements.
• It must support TPM2_HMAC command.

A UEFI firmware option to turn off the TPM is not required. OEM systems for special purpose commercial systems, custom order, and customer systems with a custom image are not required to ship with a TPM support enabled.

Pretty interesting, but there's tons of questions I guess. I don't actually now anything about how TPM works, just that it's hardware, meaning the key is stored in a physical chip and that the decryption has to run through this chip. But I have no idea how let's say biometrics is tied to this. Or what the implications will be, or what exactly is encrypted. The entire storage or just the log in details as such?

 

[Solaris17]

Stolen from Sweclockers, but it's in swedish.

So from now on devices (OEM built) needs a TPM module. Relevant bit:



Pretty interesting, but there's tons of questions I guess. I don't actually now anything about how TPM works, just that it's hardware, meaning the key is stored in a physical chip and that the decryption has to run through this chip. But I have no idea how let's say biometrics is tied to this. Or what the implications will be, or what exactly is encrypted. The entire storage or just the log in details as such?

TPMs are used by bitlocker to decrypt drives. Other security software can be programmed to use the code stored in the TPM which is generated in part by the hardware in the system. Think of it as an MD5 of your physical PC. This isnt some scary tinfoil hat stuff though. Alot of consumer laptops have TPMs

 

[Frick]

This isnt some scary tinfoil hat stuff though. Alot of consumer laptops have TPMs

That I actually knew, but it's interesting it's a minimun requirement now. But it makes sense as they are really really pushing everyone online.

 

[Nobody99]

The problem is TPM is hardware and software is still more reliable than hardware which offers physical access, there have been successful TPM attacks.

 

[Solaris17]

The problem is TPM is hardware and software is still more reliable than hardware which offers physical access, there have been successful TPM attacks.

you must be joking. Every single consumer encryption software has either gone out of business because of it or admitted to having some kind of company manufactured back door. And I would hope there have been successful TPM attacks alot is possible when you have physical access to a system.

 

[Nobody99]

you must be joking. Every single consumer encryption software has either gone out of business because of it or admitted to having some kind of company manufactured back door. And I would hope there have been successful TPM attacks alot is possible when you have physical access to a system.

TrueCrypt is still working, VeraCrypt is a succesor in the long term, LUKS is good option for Linux filesystem. Of course UEFI is still unsupported by VeraCrypt.

 

[Solaris17]

TrueCrypt is still working, VeraCrypt is a succesor in the long term, LUKS is good option for Linux filesystem. Of course UEFI is still unsupported by VeraCrypt.

You know those are just encryption softwares right? the TPM by itself encrypts nothing.

EDIT: looking back at your statement about software and your endorsement of the now unsupported truecrypt I am going too assume you use the software extensivly and maybe fell upon this in there wiki article?

Trusted Platform Module[edit]
The FAQ section of the TrueCrypt website states that the Trusted Platform Module (TPM) cannot be relied upon for security, because if the attacker has physical or administrative access to the computer and you use it afterwards, the computer could have been modified by the attacker e.g. a malicious component—such as a hardware keystroke logger—could have been used to capture the password or other sensitive information. Since the TPM does not prevent an attacker from maliciously modifying the computer, TrueCrypt will not support the TPM.[73]

If it is I would like to re-iterate that the TPM is a very secure method of obtaining a key to use in conjuntion with supported software to encrypt any device. The article and truecrypts stance on TPMs relies on the assumption that it can be broken if you have physical access, which means it must not be secure. However I would remind you that in any security experts eyes physical access is the highest level of access you can have with a machine.

I would then counter with software cannot be any more secure than a physical piece of hardware responsible for generating a code because as even true crypt stated a keylogger can be used to lift the password. Encrypted data means nothing on a machine that is infected. Its like running bitlocker on a hard drive with a keylogger and my bank info. Encryption does nothing to protect my bank account. Likewise truecrypt veracrypt bitlocker are all just software resources used to encrypt a hard drive.

They only provide you with protection if a drive is physically read from another machine. A TPM is not an encryption device. It is a device used to generate a key based off of the hardware in a given machine to help add an extra layer of protection to encryption software using that key as a PARTIAL unlock sequence (any software that uses a TPMs code does not use it exclusively it simply uses it in conjunction with a software key generated to unlock your data) thus is the hardware changes the code changes which inturn renders the drives unlockable unless you use the emergency unlock sequence provided too you by the software vendor.

 

[Nobody99]

Why is a thing that can be broken required when software can do the job just fine? You don't need TPM, RFID and RFID-like chips make more sense. Or USB drives that the system recognizes, something along those lines.

 

[Solaris17]

Why is a thing that can be broken required when software can do the job just fine? You don't need TPM, RFID and RFID-like chips make more sense. Or USB drives that the system recognizes, something along those lines.

Because software cant do its job just fine. Hardware devices add an extra level of protection be needing to be relied upon to unlock data. In the example I used above your truecrypt unlock key means nothing if your unit is infected and I have already lifted the key.

However that key becomes useless if you remove a hard drive and reboot your machine and scramble the TPM, then the unlock code no longer works and you need to use the one time use emergency unlock code given too you during initial encryption.

 

[qubit]

While a TPM chip does increase the security of a PC, it also really helps to make for a locked down platform, turning a PC into something more like an iPad where everything is controlledby Apple.

It'll basically make DRM more invasive and horrible.

 

[Solaris17]

While a TPM chip does increase the security of a PC, it also really helps to make for a locked down platform, turning a PC into something more like an iPad where everything is controlledby Apple.

It'll basically make DRM more invasive and horrible.

Wow I fail to see how it will make DRM anything. TPMs arent even enabled by default. They are used by consumers who are intelligent enough to know how to turn them on. They are mostly used in business environments on corporate machines to protect data and are used on servers to protect your user data from being stolen if the DC was broken into. I seriously fail to see how it makes anything "like apple" and how it would ever make "DRM more invasive and horrible"

a TPM only makes the security of a PC improved if you

A: use it
B: use it correctly

TPMs are completely optional devices not the spawn of satin.

this forum serious right now? am I being punked?

 

[dorsetknob]

spawn of satin.

Brings weird Pictures to mind Fetish gear

I being punked?

 

[Kursah]

I think pushing TPM requirements is a good thing, this should've been done years ago...why folks wouldn't want to use it is beyond me. For many industries where encryption is required, TPM has been required for years...and supporting 2.0+ standards is the obvious way to go.

We deploy A LOT of devices in the medical industry where TPM and active encryption are required, honestly @Solaris17 has TPM pretty well covered. It really is a good thing to be supportive of when deploying encrypted devices on a professional level and a personal level, how important is your data?

For those that might need a little more understanding for what TPM can provide, take a quick read:

http://www.trustedcomputinggroup.org/use-tpm-guide-hardware-based-endpoint-security/

https://technet.microsoft.com/en-us/library/cc749022(v=ws.10).aspx

http://www.howtogeek.com/237232/what-is-a-tpm-and-why-does-windows-need-one-for-disk-encryption/

Not saying software-only solutions are better or worse, but in my experience, TPM works very well, if its there, and you know how to use it right, then why not use it? Some situations where TPM is not available or supported by the provided encryption solution means sure don't use it, and requires another solution like a USB key...something you need not lose. Make your footprint small and make yourself seem like you're not worth the effort of breaking the encryption to access your data. This topic could really expand out into great depth in a hurry...