In response to Kevin... TPMs are rapidly becoming a normal part of desktops and laptops, thankfully.
My concern with FDE and TPMs is that, thus far, the only FDE vendor that seems to utilize the TPM for *pre-boot integrity checking* (rather than just cryptographic key storage) is BitLocker. BitLocker stores startup component hashes in the TPM PCRs (platform config registers), as well as the cryptographic key for the data on BL-encrypted volumes. Pre-boot integrity checking mitigates a compelling attack vector for attackers and also allows for secure "transparent operation" (meaning that no key/password is required provided no boot components have been modified)*. While it's possible that other software-based FDE vendors do pre-boot integrity checking as well, I've found no information on their web sites that they use the TPM for anything besides secure key storage. * Note: I realize that transparent operation (Basic Mode, in BitLocker terminology) is not nearly as safe as requiring a password/PIN/token due to attack vectors against the OS, RAM attacks, etc. But it's much safer than transparent operation mode *without* a TPM, which is little more than security by obscurity. - Garrett [snip] > > I would think that one reason for this is that TPM is not nearly > as common in desktop models as in laptops and the best FDE leverages > TPM. In fact, you hear in many web forums, mailing lists, etc. how > TPM is not really even needed on desktop PCs anyway. But once TPMs > reach some critical mass on desktops, then FDE on desktops might start > becoming more common. > > -kevin > --- _______________________________________________ FDE mailing list FDE@www.xml-dev.com http://www.xml-dev.com/mailman/listinfo/fde
