TPM and HSM Hardware Encryption Devices
TPM and HSM
TPM and HSM are two types of hardware modules used for encryption. Trusted Platform Module (TPM) and a hardware security module (HSM) can be used for hardware encryption and both are mentioned specifically in the objectives for the SY0-401 Security+ exam. With this in mind, it’s important to know what these devices are and how they differ.
Master Security+ Performance Based Questions Video
A Trusted Platform Module (TPM) is a hardware chip on the computer’s motherboard that stores cryptographic keys used for encryption. Many laptop computers include a TPM, but if the system doesn’t include it, it is not feasible to add one. Once enabled, the Trusted Platform Module provides full disk encryption capabilities. It keeps hard drives locked, or sealed, until the system completes a system verification or authentication process.
The TPM includes a unique RSA key burned into it, which is used for asymmetric encryption. Additionally, it can generate, store, and protect other keys used in the encryption and decryption process.
A hardware security module (HSM) is a security device you can add to a system to manage, generate, and securely store cryptographic keys.
High performance HSMs are external devices connected to a network using TCP/IP. Smaller HSMs come as expansion cards you install within a server, or as devices you plug into computer ports.
One of the noteworthy differences between the two is that HSMs are removable or external devices. In comparison, a TPM is a chip
embedded into the motherboard. You can easily add an HSM to a system or a network, but if a system didn’t ship with a TPM, it’s not feasible to add one later. Both provide secure encryption capabilities by storing and using RSA keys.
The following table outlines these key characteristics. (Click for a larger view.)
Security+ Practice Test Question
As an example, the following question from the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide tests your knowledge between the two.
Your organization recently purchased several new laptop computers for employees. You’re asked to encrypt the laptop’s hard drives without purchasing any additional hardware. What would you use?
C. VM escape
Answer. A. A Trusted Platform Module (TPM) is included in many new laptops, provides a mechanism for vendors to perform hard drive encryption, and does not require purchasing additional hardware.
An HSM is a removable hardware device and is not included with laptops, so it requires an additional purchase.
A VM escape attack runs on a virtual system, and if successful, it allows the attacker to control the physical host server and all other virtual servers on the physical server.
A network-based Data Loss Protection (DLP) system can examine and analyze network traffic and detect if confidential company data is
TPM and HSM Summary
TPM and HSM are modules used for encryption. A Trusted Platform Module (TPM) is a hardware chip on the motherboard included on many newer laptops and it provides full disk encryption. An HSM is a removable or external device that can generate, store, and manage RSA keys used in asymmetric encryption. HSMs are used with high-volume e-commerce sites to increase the performance of SSL sessions, and some high-availability clusters needing encryption services use clustered HSMs. You can find more about TPM and HSM topics in the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide.