There has been a lot of FUD about TPM devises previously, but we're going to try and iron out some of the crap misconceptions from what it actually does.
First of all - it will NOT lock down your PC, it will NOT lock your hardware to your software, it will NOT record any personal data and it will NOT limit the software/hardware use to "authorised devises/applications" only. (At least, in this instance; Gigabyte was very insistent that its product was for the benefit of the user).
Gigabyte is working with Infineon to provide a secure sector(s) of a hard drive(s) that is locked down by a personal key. You can have multiple keys and multiple partitions on the same drive and removing the drive from the case renders that information hidden and encrypted until it gets the key again.
The latest generation stores the Primary and User key on the drive and the TPM devise - it used to be just the drive only, but if the drive got bad sectors of the key corrupted that was your secure data access completely lost. You can either make a section of a current drive or an entire drive encrypted and thanks to Gigabyte's SATA to eSATA PCI brackets that connect direct to the ICH10R can even be an external drive making it easier to take with you. Flashing the BIOS also doesn't affect it because the TPM data is kept encrypted in a different sector on the back-up BIOS only.
Gigabyte also include an optional install called "Ultra TPM", this, Gigabyte claims, adds an extra level of security and convenience by allowing a USB key to be encrypted and the key copied to there as well. This means that you have an extra backup of the key if your entire PC dies in a catastrophic failure (although, not your hard drive we assume), and you can use the USB key like an actual physical key - where by plugging it in it instantly allows access to the corresponding encrypted data without having to re-input your private key.
Gigabyte's argument for this is "You wouldn't leave your car keys in the car", however we also see many security vulnrabilities - if your keys and notebook are both in your briefcase/bag and that's stolen, someone doesn't need to get the key out of you, and in cases of industrial espionage where someone only has to steal your keys to get access to your work PC without you being there.
We suggested that uploading the key to a secure online server would be good, because if someone hacked the server for a passkey, they'll still need access to the machine itself and keeping it online in a secure FTP gives you an access anywhere off-site backup. If they are already determined to hack the FTP for the passcode, they are already determined enough to just hacking the client machine directly anyway.
Still scared that TPM will end the world? Let us know your concerns in the forums.
Tuesday, June 10, 2008
Gigabyte TPM Explained
Posted by Engeneer Moris at 2:46 PM
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment