Saturday, March 22, 2014

TPM and Multiple Machines

Hey guys,

My my current employer is considering a full disk encryption (FDE) technology which uses TPM's instead of our current software based solutions with passwords. I'm doing some testing.

Quick aside: In short, right now, users type in a password (encryption key) when their machine boots. The solution we're considering (BitLocker) stores the encryption keys in the special TPM chip on supported computers.

Normally, most people's experience with TPM's is on laptops. They're rare on desktop machines. I much prefer working with desktops. Thus, my home lab had no TPM support. I have two motherboards with headers for TPM's. A quick Amazon search found a TPM which Prime quickly delivered. So, I setup Windows 8.1 Enterprise Evaluation edition on an OCZ ssd.

I installed the TPM module in the motherboard. Then, I configured it. And booted into Windows.
This was the surprisingly difficult part. Using the Control Panel applet to configure BitLocker led to nothing but frustration. I finally found some instructions on how to force BitLocker to use the TPM (By default, it appears to NOT use the TPM.) Here's the command that did it:

manage-bde -on C:


Some testing indicated that everything worked as expected (could seamlessly boot into Windows 8.1; loading the drive into a forensic workstation showed a garbled mess; etc.). Now, for the fun part. The part that you can't do with a laptop.

I took the drive and the TPM out of my initial build machine and put it in a test machine; configured the BIOS; booted. Useless. Windows wouldn't boot as it couldn't decrypt the drive. I was hoping that I'd be able to use the drive; no such luck.

Finally, I returned the TPM and drive back to the original machine. Everything worked fine. ("manage-bde -status") still shows the drive as encrypted.

I'm torn. On one hand, I'm glad that the encryption protected the data even after the drive and the TPM were moved into a different machine. Let's face it: you'd have to have a VERY determined adversary to try something like pulling a TPM off of a laptop motherboard. On the other hand, in an enterprise environment, sometimes data recovery means that you need access to data even if the original machine is b0rked. I guess that's what MBAM is for.

MJ


No comments: