23

I read that a TPM (Trusted Platform Module) has some sort of burnt in key that it uses, along with the password you provide, to encrypt your data. The point is that you cannot decrypt your Hard Disk without the TPM (please correct me if I'm wrong). The question is: Do you completely loose access to your data if the TPM breaks?

What if it simply fails, like many chips do? Do you lose all your data that you encrypted using said TPM chip?

Imagine the scenario where you spill some water on your laptop, it gets to the TPM, and fries it! TPM chip is now unusable, but, since you do a daily backup of everything, you still have the data (a mirror copy of your HDD), but not the TPM (because it doesn't work anymore). Is the data lost forever?

Philipp
  • 48,867
  • 8
  • 127
  • 157
Fresco
  • 333
  • 1
  • 2
  • 4
  • 1
    Some disk encryption solutions support adding a second recovery ley which can be used in case the TPM fails. – André Borie Jul 02 '16 at 16:50
  • 2
    In the case of BitLocker, you would use the recovery key in this scenario. This is created when you first encrypt the drive, and you are prompted to save it and store it in a safe place. You should always do this. – Michael Hampton Aug 13 '16 at 06:36

3 Answers3

15

The purpose of a TPM module is to ensure that there is absolutely no way to obtain the keys stored on it. Whether or not it actually fulfills that purpose is a topic for another question. For now let's assume that it works as designed. That means when the TPM module is destroyed, so is the key, and so is any hope to decrypt the data encrypted with it.

However, most backup solutions do not binary mirror the hard drive they back up. A proper backup solution must provide the ability to fully recover the data even in case the original system is a complete physical loss. So any dependence on any part of the backed up system would be counter-productive. Usually a backup solution backs up the cleartext data. There are also solutions where the backup is encrypted with a key before sending it to a backup system but in that case the key should be backed up elsewhere (this means you need two backup systems: A small-space/high-security one for the key and a large-space/low-security one for the data). The backup system might or might not encrypt the backups independently with its own key on its own hard drives.

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • 2
    What about the Bitlocker recovery key? Can't it be used to recover the data even without the TPM module? (example: the TPM module burns). – TCB13 May 12 '18 at 00:01
  • Bitlocker goes into recovery mode when TPM fails or is not visible. See: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan – Nux Aug 13 '20 at 22:30
  • @TCB13 yes, you always have a recovery key that you can enter in case the tpm fails or you forget the bitlocker password. In an Active Directory environment you can set a GPO to auto collect the recovery key under the computer account so it is available to the domain admin in case of emergency. – Brain2000 Sep 03 '22 at 02:29
8

If the TPM 'breaks' or becomes otherwise inaccessible, all cryptography dependent on keys stored by the TPM also breaks. This is the most concise and inclusive way I could think to put it.

I say 'cryptography' because the TPM does more than just encryption. Encryption is just one use of cryptography, as are signatures, authentication, etc.

The TPM stores keys, it doesn't actually do the drive encryption. It acts as the key-ring for the software that actually does the encryption.

Think of losing your physical keys: if you asked "what happens when I lose my keys", we can't answer that for you. We don't know what keys you have, or what they are for. All we can say is "well, whatever you had keys for on your key-ring, now you can't access those things."

What exactly happens is not a general question about keys at all. If you had keys to your house, a car and a boat on your key ring, and you lost it, but you have a backup house key somewhere, then the answer is you lose access to your car and your boat, but you can still get in your house.

So back to your encrypted hard disk: What exactly happens is not a TPM question at all, it's a question about the software you are using. If you are using BitLocker, for example, to encrypt your hark disk, you might know everything there is to know about the TPM, but if you don't know exactly how BitLocker works, and how/if it even uses the TPM, then you cannot answer the question of what 'exactly' happens. Does it migrate/backup keys? Does it save clear-text data to the cloud somewhere for retrieval? These are questions for the BitLocker software, and not about the TPM at all.

So in short, if the TPM 'breaks':

  • Any data you encrypted with a key that only exists in the TPM, which isn't backed up, is lost (i.e. your encrypted hard disk)
  • Any cryptographic identity based on the TPM (i.e. Identity Keys) is now lost
  • Any trust in the platform (i.e. during remote attestation) is now lost

IOW, any cryptography based on the TPM is now hosed.

NOTE: As in another answer "broken" here means "inaccessible", not "hacked" or broken in that it becomes insecure, that is another question.

Wilbur Whateley
  • 588
  • 6
  • 12
-2

"The problem, which everyone goes unnoticed, is that we are linking our Windows installation to our CPU and our motherboard. As we can read in this warning message to the enable TPM 2.0 If we change the processor or the BIOS chip of the motherboard, we will be losing the keys of the TPM encryption. The encryption key can no longer be recovered in any way and we will lose all the data that we have stored inside the hard drive."

Source: https://techunwrapped.com/beware-of-tpm-the-windows-11-requirement-you-can-lose-your-data/

user271900
  • 1