this post was submitted on 03 Dec 2024
1074 points (99.2% liked)
Technology
60082 readers
2185 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The TPM is not a dedicated cryptographic processor, it's an external keystore with a few select functions. You're thinking of an HSM which is used almost exclusively in servers that have to handle thousands of secrets per second.
CPUs have had dedicated AES hardware for decades which is why LUKS and Bitlocler use it by default.
The TPM just allows certain keys and secrets to be generated and stored physically separate from the CPU as a security measure.
Bitlocker and LUKS will store a master key in the TPM so that you don't have to enter a password every time you boot. They retrieve it from the TPM and then use it to unlock the actual encryption key which is done entirely in the CPU. If the TPM detects foul play such as secure boot alteration, it will refuse to give the key or clear itself.
Using the TPM for constant encryption like at rest disk encryption would be way too slow.
It's so so small that most modern TPMs have been integrated into the CPU or even simulated via the motherboard firmware (fTPM and PTT).