What Is A Trusted Platform Module (TPM)? Why Is It Important?

• Home
• IT operations

• Share this item with your network:

By

• Alexander S. Gillis, Technical Writer and Editor

What is a Trusted Platform Module (TPM) and why is it important?

A Trusted Platform Module (TPM) is a specialized chip on a laptop or desktop computer that is designed to secure hardware with integrated cryptographic keys. A TPM helps prove a user's identity and authenticates their device. A TPM also helps provide security against threats like firmware and ransomware attacks.

A TPM is used for digital rights management (DRM) to protect Windows-based systems and to enforce software licenses. It can also store passwords, certificates or encryption keys. TPM chips can be used with any major operating system and work best in conjunction with other security technologies, such as firewalls, antivirus software, smart cards and biometric verification.

A TPM chip is located on a computer's motherboard as a dedicated processor. Cryptographic keys store Rivest-Shamir-Adleman (RSA) encryption keys specific to the host system for hardware authentication.

Each TPM chip contains an RSA key pair called the Endorsement Key (EK). The pair is maintained inside the chip and cannot be accessed by software. The Storage Root Key is created when a user or administrator takes ownership of the system. This key pair is generated by the TPM based on the EK and an owner-specified password.

A second key, called an Attestation Identity Key (AIK), protects the device against unauthorized firmware and software modification by hashing critical sections of firmware and software before they are executed. When the system attempts to connect to the network, the hashes are sent to a server that verifies they match expected values. If any of the hashed components have been modified, the match fails, and the system cannot gain entry to the network.

The term TPM is sometimes used in reference to the set of specifications applicable to TPM chips. The nonprofit Trusted Computing Group (TCG) publishes and maintains TPM specifications.

TPM uses and benefits

TPMs provide the following benefits:

• Generate, store and limit the use of cryptographic keys.
• Ensure platform integrity by using metrics that can detect changes to past configurations.
• Provide platform device authentication with TPM's RSA key.
• Mitigate firmware, ransomware, dictionary and phishing attacks.
• Protect digital media rights using DRM technology.
• Ensure software licenses are protected.

How does Windows use TPMs and why are they required?

Windows 7, 8, 10 and 11 all support Trusted Platform Modules. Microsoft combines the security features found in Windows with the benefits of TPMs to offer more practical security benefits. For example, Windows uses TPMs to provide the following security features:

• Windows Hello is a biometric identity and access control feature that supports fingerprint scanners, iris scanners and facial recognition technology that use TPMs. It uses both an EK and an AIK.
• Dictionary attack protection helps protect against a brute-force attack that breaks into a password-protected computer network by systematically entering every word in a dictionary as a password.
• BitLocker Drive Encryption encrypts logical volumes. It differs from Microsoft's Encrypting File System in that BitLocker can encrypt an entire drive, whereas EFS only encrypts individual files and folders. If the computer or hard disk is lost or stolen, when powered off, the data on the volume is kept private. BitLocker may still be susceptible to cold boot attacks, so two-factor authentication is also typically used.
• Virtual smart cards are based on TPMs and are similar to physical smart cards. They are used for authentication to external resources.
• Measured boot helps detect malware during boot sequences and ensures TPM measurements reflect the starting state of Windows and Windows configuration settings.
• Health attestation makes AIK certificates for TPMs, as well as parses measured boot data to evaluate device health.
• Credential guard uses virtualization-based security to isolate credentials. TPMs are used here to protect keys.

TPM 2.0 explained

TPM 2.0 was created by TCG to better improve Trusted Platform Modules with new features. For example, the new algorithm interchangeability feature enables TPMs to use different algorithms in case one does not work against specific threats. Prior to this, TPM 1.2 was limited to using Secure Hash Algorithm 1. Basic verification signatures were also improved with the added support of personal identification numbers and biometric and Global Positioning System data. Improved key management enables keys to now be handled for limited and conditional use.

The new and updated features of TPM 2.0 offer more flexibility, enabling the chip to be used in more resource-constrained devices. TPM 2.0 can run on new PCs on any version of Windows 10 for desktop and on Windows 11 devices that support TPMs.

Different types of TPM implementations

The following Trusted Platform Modules differ by how they are implemented:

• Discrete TPMs are specific and dedicated chips. This is potentially the most secure type of TPM, as they typically are less likely to have bugs and must also implement tamper resistance.
• Physical-based TPMs are integrated into the main central processing unit (CPU) and include security mechanisms that make it tamper-resistant.
• Firmware-based TPMs run in a CPU's trusted execution environment. These TPMs are almost as secure as physical TPM chips.
• Software-based TPMs do not provide additional security and run the risk of having bugs or being externally attacked.
• Virtual TPMs are provided by a hypervisor, which independently retrieves security codes from a virtual machine.

History of TPM

TCG developed TPMs and have updated them over time. One notable update was version 1.2, which became standardized as International Organization for Standardization/International Electrotechnical Commission 11889 in 2009. TCG continues to work on the standard, integrating new additions and features. Its most recent update, version 2.0, was released in 2019. This version adds new features to increase the security of TPM. Version 2.0 works for Windows 10 and only some versions of Windows 11.

Learn more about TPMs and how they augment protection in internet of things systems.

This was last updated in February 2022

Continue Reading About Trusted Platform Module (TPM)

• Security boost in Windows 11 limits PC reuse

• Windows 10 vs. Windows 11 requirements force PC upgrades

• How does Microsoft BitLocker secure local, cloud resources?

• Microsoft Pluton chip will secure future Windows PCs

• Enable and disable vTPM on Hyper-V VMs with PowerShell cmdlets

Related Terms

What is a cloud-native application? A cloud-native application is a program that is designed for a cloud computing architecture. These applications are run and ... See complete definition What is a configuration file? A configuration file, often shortened to config file, defines the parameters, options, settings and preferences applied to ... See complete definition What is managed detection and response (MDR)? Managed detection and response (MDR) services are a collection of network-, host- and endpoint-based cybersecurity technologies ... See complete definition

New & Updated Definitions

• Cloud visibility: Definition, importance and challenges

  Cloud visibility is a company's ability to monitor, track and gain insight into its cloud infrastructure and resources. See More.

• What is natural language query (NLQ)?
• What is augmented intelligence?
• What is a Request for Comments (RFC)?
• What is compliance risk?
• What is a cloud-native application?
• What is managed detection and response (MDR)?
• What is SMS (Short Message Service)?
• What is a configuration file?

Latest TechTarget resources

• Networking
• Security
• CIO
• HR Software
• Customer Experience

Search Networking

• What is Cisco Performance Routing (PfR)?

  Cisco Performance Routing (PfR) is a way of sending network packets based on intelligent path control.

• What is a MAC address and how do I find it?

  A MAC address (media access control address) is a 12-digit hexadecimal number assigned to each device connected to the network.

• What is cloud networking?

  Cloud networking is a type of IT infrastructure in which the cloud hosts some or all of an organization's networking resources.

Search Security

• What is obfuscation and how does it work?

  Obfuscation means to make something difficult to understand. Programming code is often obfuscated to protect intellectual ...

• What is IPsec (Internet Protocol Security)?

  IPsec (Internet Protocol Security) is a suite of protocols and algorithms for securing data transmitted over the internet or any ...

• What is Extensible Authentication Protocol (EAP)?

  Extensible Authentication Protocol (EAP) is a protocol for wireless networks that expands the authentication methods used by ...

Search CIO

• What is compliance risk?

  Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture and material loss, resulting ...

• What is qualitative data?

  Qualitative data is descriptive information that focuses on concepts and characteristics, rather than numbers and statistics.

• What is a learning management system (LMS)?

  A learning management system (LMS) is a software application or web-based technology used to plan, implement and assess a ...

Search HRSoftware

• What is employee self-service (ESS)?

  Employee self-service (ESS) is a widely used human resources technology that enables employees to perform many job-related ...

• What is DEI? Diversity, equity and inclusion explained

  Diversity, equity and inclusion is a term used to describe policies and programs that promote the representation and ...

• What is payroll software?

  Payroll software automates the process of paying salaried, hourly and contingent employees.

Search Customer Experience

• What is a chief experience officer (CXO)?

  A chief experience officer (CXO) is an executive in the C-suite who ensures positive interactions with an organization's ...

• What is contact center infrastructure?

  A contact center infrastructure (CCI) is a framework composed of the physical and virtual resources that a contact or call center...

• What is speech recognition?

  Speech recognition, or speech-to-text, is the ability of a machine or program to identify words spoken aloud and convert them ...

Close