How and when to enable hardware-based TPM security on servers

Most servers include a Trusted Platform Module, but you only want to turn it on and manage TPM when the server handles high-value encrypted workloads.

Trusted computing adds security to server hardware and operating systems. So take the time to learn how -- and when -- to deploy it.

Servers have received comparatively little attention from security, which obsesses about protecting data. The not-for-profit industry collaboration Trusted Computing Group developed a set of security standards to protect encryption keys and ensure the integrity of hardware platforms and host OSes. These standards are routinely available on modern servers as the Trusted Platform Module (TPM).

Many IT organizations, however, don't enable TPM security; some simply don't understand how to fully deploy the technology, while others fear an accidental loss of access to protected data.

The purpose of the Trusted Platform Module

Hardware tampering can expose encryption keys. The purpose of the TPM is to implement a hardware controller on the server motherboard. This acts as a repository for keys, passwords and digital certificates, which are all protected through the TPM's subsystem. In effect, the physical TPM becomes an integral part of the encryption keys. As a hardware device, the TPM is immune to malware and forgery.

Remember, Trusted Computing technology protects sensitive data, but it also requires specific hardware components. And hardware can fail. Enable TPMs only where most appropriate, manage passwords vigilantly and be sure to test TPM behaviors thoroughly.

The TPM is secured with a unique key created by taking a baseline "fingerprint" of the server and its components as it boots, and comparing that baseline against periodic measurements of the system's parameters. If the boot characteristics change and the fingerprint no longer matches actual system parameters, hardware tampering may be indicated, and system access denied.

Once the TPM-compliant BIOS hands off system control to a TPM-enabled operating system, such as Windows 8 or Windows Server 2012, the OS can also compare the BIOS TPM fingerprint to previous boot cycles to check for potential tampering. When a system boots successfully with TPM enabled, the system is generally regarded as trusted.

After boot, TPM supports additional security features such as BitLocker drive encryption. One popular example is the measured boot feature of Windows 8 and Windows Server 2012, which share a log of boot components with anti-malware tools. If the boot components don't match the log of trusted components, the server could be under attack.

Basic TPM requirements and issues

TPM deployment requires a server hardware platform fitted with a TPM and compliant BIOS, which virtually every server vendor offers. Systems ship with TPM disabled, putting the onus on administrators to enable and activate the Trusted Platform Module.

TPM primarily protects encryption keys, so it might not be necessary on non-critical platforms with workloads running unencrypted data. However, enable it on systems that use file or folder encryption, or rely on local password management, run S-MIME email, need authentication for VPN or PKI, or use wireless interfaces such as 802.1x or LEAP.

If your current servers are not TPM-capable, put Trusted Platform Module on your next technology refresh cycle's must haves -- TPM cannot be added as an aftermarket upgrade.

TPM does not necessarily require a TPM-aware OS, but it does enhance security by enabling cryptographic functions and checking the system's footprint. Major OS releases -- Windows Server 2008 and 2012, Oracle Solaris 11, the Linux kernel -- support TPM.

The Trusted Computing approach to encryption isn't foolproof. Any keys created in concert with the TPM (not necessarily just managed by the TPM) are completely unrecoverable if the TPM fails or critical server components, such as the motherboard, are replaced. Look for the system or TPM software utilities to create backup or archival keys that can be restored from emergency media like a flash drive. Test recovery before TPM rolls out on production servers.

TPM implementation requires careful hardware management and attention to emergency recovery data. If a server motherboard fails, it is not possible to move the old TPM to the motherboard; the motherboard will have a TPM. Any data encrypted under the old TPM will be inaccessible and the OS may not even boot. The system will halt and ask for that recovery key that you have saved on emergency media. The recovery key will re-enable the TPM and restore encrypted disk access. Then, re-create a set of keys for the TPM.

Starting up TPM

TPM implementation varies with different server BIOS versions, TPM standards, OSes and TPM utility versions.

Basically, IT administrators enable TPM in the server BIOS's security menu, and reboot. Servers do not allow changes to the TPM state remotely, so the administrator needs to actually be in the data center. Remember this when you're managing secure remote servers.

Once the TPM is enabled in BIOS, activate it at the OS level to "take ownership." Some systems use a TPM management utility such as Intel's Embassy Security Center. TPM-enabled operating systems manage TPM through PowerShell cmdlets. Always refer to TPM utility or OS documentation for exact procedures, but you usually manually set a TPM password and verify the TPM configuration. Again, you must be present to perform the tasks. Otherwise, your tasks could be seen as nefarious malware.

Always record or save backup copies of TPM-related passwords and keys in a secure physical location offsite.

Stopping a TPM

After the TPM is enabled and activated, it will run without direct intervention from administrators unless you need to manage TPM commands --an exceedingly rare occurrence. The exception is when administrators need to turn off or even clear the TPM.

Some servers are decommissioned then repurposed within the enterprise, and no longer need TPM functionality. With TPM off, applications and data can process on the server without TPM support.

You can deactivate through the OS, using PowerShell cmdlets for example. If the OS does not support disabling TPM, manually intervene via the same BIOS menu used to enable or clear the feature.

Administrators can clear the TPM through the BIOS. If you clear the TPM entirely, you'll restore the factory default settings, resetting all keys and passwords in the TPM and rendering any encrypted data inaccessible. Clear the TPM if you lose the password or if you're recycling or selling the server. Do not clear TPM on a production server!

Some motherboards include a TPM clear jumper -- set it prior to clearing the TPM and reset after. This protects against tampering because it requires an administrator with additional physical access and knowledge of the server's internal layout. However, Windows Server 2012 allows administrators to clear the TPM through PowerShell cmdlets.

Dig Deeper on IT systems management and monitoring

Software Quality
App Architecture
Cloud Computing
Data Center