[Hardware] What is the Trusted Platform Module (TPM) and how does it work?

[Dark]

We live in an interconnected world in which vulnerabilities and cyber attacks happen so frequently that they are now considered commonplace. For this reason, security has long been a major concern and has been implemented at the hardware level. Today we are going to talk to you about the TPM or Trusted Platform Module, a piece that is already essential today to protect our data as users.

One of the most commonly used security measures to protect our data is its encryption, which can be done using different methods but always with the same purpose: even if the data "leaves" the computer where it originated, it cannot be read unless you have a private key. And this, precisely, is the objective of the TPM, but we are going to see it in depth.

What is the TPM and what is its function?
TPM is the acronym for Trusted Platform Module or Trusted Platform Module in Spanish, and is the name of a specification that details a secure cryptoprocessor capable of storing encryption keys with which to protect our information. As you will already suppose, the TPM is a physical chip that is found on the motherboards of our computers, but it is a passive chip that is deactivated at the factory and only if the user wants, he can choose to activate it, or the most common is that the motherboard base has a TPM head in which we can put a chip bought separately (although on some boards it is also included).

Motherboard TPM header

The main function of this chip is to provide a physical place in which to store credentials, certificates and encryption keys that serve both to encrypt other data and to store our passwords themselves. One of the faculties that make this chip so secure is that it can only communicate with the processor, solely and exclusively, so that no other hardware component can have access to it without the permission of the processor, so to speak.

The use of a TPM chip is, for example, as DRM (copyright protection to prevent piracy), file and folder encryption (for example with Windows EFS encryption file system), secure email (the client it must support digital signature features such as Outlook), secure WWW (browsing with SSL), and even for other features such as virtual private networks (VPN), one-time passwords, and client authentication.

What do you need and how can you activate it on your PC
Obviously, you need your motherboard to be compatible with TPM and that either already integrates the chip or has at least the TPM connector that we have mentioned before, generally located in the lower area of the motherboard.

TPM connector

In the event that you do not have the chip but you do have the head, they can be purchased individually but we recommend doing it from trusted brands. Here are a couple of examples, one from ASUS and one from ASRock.

ASUS TPM chip
Buy it at Amazon Logo
EUR
16.47
Amazon logo
ASRock TPM chip
Buy it at Amazon Logo
EUR
17.64
Amazon logo
Even though you have the chip, as we have mentioned before it is passive and is disabled at the factory, so you will have to enable it manually. To do this, you must access the UEFI BIOS of your PC and then the security section (Security), although in some BIOS you will find it simply in Settings -> Advanced options. If all goes well, there you can activate TPM on your computer.

Enable TPM

With this you will already have TPM activated in the BIOS and you can start using it. Since mid-2016, TPM support comes by default in the Windows 10 operating system, and to access its configuration simply click with the right mouse button on the start button and select run. In the window that opens, type "tpm.msc" (without the quotes) and press accept. If it is correctly activated, here you will be able to access the command administration and use this trusted platform in whatever you need.