| Previous | Next |
| TPM_E_NOSRK | TPM_E_OWNER_SET |
TPM_E_NOTSEALED_BLOB
Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself. The private portion of a storage root key or endorsement key that is created in a TPM is never exposed to any other component, software, process, or user.
You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys cannot be migrated, the private portion of the key is never exposed outside the TPM.
Computers that incorporate a TPM can also create a key that is wrapped and tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as “sealing the key to the TPM.” Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met.
What is stored on a TPM?
TPM (Trusted Platform Module) is a computer chip (microcontroller) that can securely store artifacts used to authenticate the platform (your PC or laptop). These artifacts can include passwords, certificates, or encryption keys. A TPM can also be used to store platform measurements that help ensure that the platform remains trustworthy. Authentication (ensuring that the platform can prove that it is what it claims to be) and attestation (a process helping to prove that a platform is trustworthy and has not been breached) are necessary steps to ensure safer computing in all environments. Trusted modules can be used in computing devices other than PCs, such as mobile phones or network equipment.
The nature of hardware-based cryptography ensures that the information stored in hardware is better protected from external software attacks. A variety of applications storing secrets on a TPM can be developed. These applications make it much harder to access information on computing devices without proper authorization (e.g., if the device was stolen). If the configuration of the platform has changed as a result of unauthorized activities, access to data and secrets can be denied and sealed off using these applications.
Where is TPM data stored?
A TPM chip is located on a computer's motherboard as a dedicated processor. Cryptographic keys store Rivest-Shamir-Adleman (RSA) encryption keys specific to the host system for hardware authentication.
Each TPM chip contains an RSA key pair called the Endorsement Key (EK). The pair is maintained inside the chip and cannot be accessed by software. The Storage Root Key is created when a user or administrator takes ownership of the system. This key pair is generated by the TPM based on the EK and an owner-specified password.
A second key, called an Attestation Identity Key (AIK), protects the device against unauthorized firmware and software modification by hashing critical sections of firmware and software before they are executed. When the system attempts to connect to the network, the hashes are sent to a server that verifies they match expected values. If any of the hashed components have been modified, the match fails, and the system cannot gain entry to the network.
The term TPM is sometimes used in reference to the set of specifications applicable to TPM chips. The nonprofit Trusted Computing Group (TCG) publishes and maintains TPM specifications.