Is it better to use a TPM or not?

Status
Not open for further replies.

pcx436

Reputable
Mar 6, 2014
20
0
4,510
I've been looking into TPMs (trusted protection modules) and I was wondering exactly what advantages they have as opposed to the regular way of story encryption keys. If someone were to obtain my TPM, would they have access to my password hashs/passwords? Just in general, is it better to have a TPM or regular encryption keys, or maybe both?
 
Solution
http://technet.microsoft.com/en-ca/windows/dn168167.aspx
and
http://technet.microsoft.com/en-ca/windows/dn168169.aspx
and
http://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf

1) Note you must install Windows 8.1 using UEFI mode in the BIOS. If you install as Legacy (non-UEFI) you can't switch later without re-installing the OS.

2) UEFI SECURE is an optional feature so not all UEFI motherboards have it.

3) You do not require a TPM module if the board supports UEFI Secure mode. From what I can tell the board is already doing what TPM would.

*Here is why I said the above:
"Secure Boot is an optional feature of the UEFI specification. The choice of whether to implement the...
http://technet.microsoft.com/en-ca/windows/dn168167.aspx
and
http://technet.microsoft.com/en-ca/windows/dn168169.aspx
and
http://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf

1) Note you must install Windows 8.1 using UEFI mode in the BIOS. If you install as Legacy (non-UEFI) you can't switch later without re-installing the OS.

2) UEFI SECURE is an optional feature so not all UEFI motherboards have it.

3) You do not require a TPM module if the board supports UEFI Secure mode. From what I can tell the board is already doing what TPM would.

*Here is why I said the above:
"Secure Boot is an optional feature of the UEFI specification. The choice of whether to implement the feature and the details of its implementation (from an end - user standpoint) are business decisions made by Original Equipment Manufacturers (OEMs). As of this date, no one has claimed or demonstrated an attack that can circumvent UEFI Secure Boot on a systemon which
it is properly implemented and enabled."

*Anyway, if your main purpose is to prevent boot-time hacks then I think this might be the best approach but don't quote me:

1) Buy a motherboard with a TPM mount or ensure it has UEFI SECURE
2) Buy a TPM module and install it only if the board has a TPM mount but isn't secure without the TPM
3) Install Windows 8.1 in Secure UEFI mode

SUMMARY:
AFAIK it just makes sense to buy a motherboard that supports UEFI SECURE mode then install Windows 8.1 when this is enabled in the BIOS.

I'm not quite sure what TPM offers if you have UEFI secure.
 
Solution
Status
Not open for further replies.