Trusted Module Platform (TPM) - Version 1.2 vs 2.0
6th Feb 2023
Users have been reaching out on which version of TPM is better - TPM 1.2 or TPM 2.0 for 13th, 14th, and 15th Generation Dell Servers. TPM Technology has its pros and cons and in this blog post, we'll take a closer look at both versions so you can make an informed decision.
When is TPM technology needed?
TPM technology is needed if you need to store sensitive information or perform certain cryptographic operations on servers. The security provided by TPM technology allows the user to be sure their data is secure and protected from any malicious activity.
It also allows for remote attestation (RA) and endorsement key storage (EK). TPM is a hardware-based security product and is increasingly becoming standard in newer server builds.
TPM 1.2
Version 1.2 of TPM provides basic security features, such as secure boot and encrypted storage, that are suitable for most applications. It also can provide Endorsement Key Storage (EK) and Remote Attestation (RA). However, it does not offer advanced cryptographic key capabilities like RSA or ECDSA encryption/sign.
TPM 2.0
New Features in Version 2.0 offered over Version 1.2 is better security control, as it provides advanced and integrated cryptographic keys capability such as RSA and ECDSA encryption/signing. It also supports remote attestation (RA) and endorsement key storage (EK). Additionally, it is designed to be FIPS 140-2 certified and meets the requirements.
Deciding Between the Two
When it comes to deciding between TPM 1.2 and TPM 2.0, the decision should be made depending on the application software that is being used. If you require advanced cryptographic features such as RSA or ECDSA encryption/signing then TPM 2.0 would be your best option.
Microsoft Windows Server 2022
Different versions of Microsoft Windows Server require and leverage specific versions as well. For example, Microsoft requires that Windows 2022 uses TPM 2.0 for features such as BitLocker Drive Encryption, so users who need these features should make sure their computers have the latest version of TPM installed.
Note that Servers shipped before January 1st, 2021, as well as those shipped with either a different operating system (OS) or no OS (with TPM 1.2 or none at all), can still make use of Windows Server 2022 Operating System - though support will be limited in some cases. Therefore, to secure hardware, you are almost being forced into leveraging TPM 2.0 for any net new server purchase from Dell as they continue to roll out more and more security features in their 15th and now 16th Generation Servers.
You should also note the firmware version must be at least equivalent to NPCT 650 (1.3.2.8) or NPCT 750 (7.2.2.0). To future-proof your host system(s) and make the upgrade, you will then want to get TPM 2.0.
Windows Server 2019/2016 Operating Systems
Version 1.2 of TPM is available on Windows 2019 and Windows 2016(v 1607 or greater). TPM 2.0 can go on all of these versions as well. However, if you don't require these features and just want basic security features such as secure boot and encrypted storage, then version 1.2 is suitable for your needs.
TPM Configurations - Note Dell Article for complete details
In the TPM Advance Settings, the below setting should be the default
How to Manage Cryptographic Keys
Cryptographic keys should be managed in the TPM, but when managing these keys you will want to make sure they are aligned with industry best practices. To do this, you'll need to create a key hierarchy that includes:
• Creation master key (CMK)
This is an RSA 2048-bit asymmetric key that is used to create other keys.
• Cryptographic Storage key (CSK)
This is an RSA 2048-bit key that is used to store the user's data securely.
• Endorsement Key storage key (EKSK)
This is a 1024-bit or 2048-bit ECC public/private key pair that is used to sign and validate other keys.
• Application-specific key (ASK)
This is an RSA key that is used to encrypt and decrypt data in the application.
Once these keys have been created, they should be stored in the TPM chip itself for security reasons. Additionally, you may also want to consider disabling write access to permanent Memory (PM) and Volatile Memory (VM) as an added security measure. This can help protect your TPM version from malicious attacks, and also prevent unauthorized users from altering the cryptographic keys stored within it.
Access Control
TPM chips include an access control mechanism that helps you protect the keys stored within it. This ensures that only authorized users can access and use these cryptographic keys, helping to ensure your data remains secure. Additionally, some Dell TPMs also support two-factor authentication (2FA) which adds an extra layer of security when accessing or using the Dell servers.
Discrete TPM
Also known as an embedded TPM, discrete TPMs are considered to be the most secure form of TPM hardware. This TPM has dedicated memory and processing capabilities, meaning that they are completely independent of the host computer system and can't be tampered with or altered in any way.
Virtual TPMs
Somewhat less secure than discrete TPMs, virtual TPMs are designed to use the host computer's memory and processing capabilities. Despite this, they do offer many of the same security benefits as a discrete TPM. The main advantage of using a virtual TPM is that it can be used in scenarios where hardware-based security is not available, such as in cloud computing environments.
No matter which type of TPM state you decide to use, it's important that you take the time to properly configure and manage it. Following industry best practices can help ensure that your TPM is secure and functioning at its highest level of efficiency.
Supporting your TPM State
When it comes to updating or configuring your server’s TPM settings, you should always consult with a qualified KI specialist. They can help ensure that your TPM implementations are set up correctly, help implement policies, and help you be compliant with industry standards. Service providers can also help manage tpm specification updates and support tpms ongoing posture.
Additionally, make sure you use a FIPS 140-2 certified tool to manage the cryptographic keys in the TPM as this will meet the government's security requirements and ensures the platform remains trustworthy. Ultimately, following these steps will help protect your hardware and keep it secure.
Potential Gotcha's:
One potential issue to note is that TPM technology requires specific hardware to be installed on the system for it to work properly. If your system does not have the necessary hardware, then you will need to buy new hardware or upgrade your existing system before being able to use TPM 2.0.
Additionally, some third-party applications may not be compatible with TPM 2.0, so you should check to make sure your chosen application will work with it before making the switch. This may be a big reason why you need to stay back on older versions of Windows if the application won't run on TPM 2.0.
Overall, when it comes to deciding between TPM 1.2 and TPM 2.0 it is important to consider your specific application needs and make sure your system has the necessary hardware before making the switch. With these factors in mind, you can make an informed decision on which version of TPM will best meet your needs. Good luck!