Advertise on Bikeforums.net



User Tag List

Results 1 to 7 of 7
  1. #1
    Senior Member
    Join Date
    Aug 2006
    Posts
    998
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Hate to ask this (tpm chip on motherboards)

    I'm building a server for home for document archival. Of course, for security reasons, I want the server to encrypt its main drives as well as be able to boot up without requiring a password so family can access it when I'm not there. So, Windows Server 2008 + Bitlocker fits this purpose perfectly.

    Enter the horror story. I cannot, for the life of me, find any way to find motherboards that have a TPM 1.2 chip on them. I searched Google, inconclusive (because the details on the board are so vague, I can't tell if the motherboard explicitly has this feature or not.) I checked out Intel's motherboards, and the several they touted with this functionality, when I hit various places like Newegg, they stated they were discontinued. Same with Tiger Direct.

    Meh, I'm missing something, and its probably something very stupid.

  2. #2
    Senior Member DannoXYZ's Avatar
    Join Date
    Jul 2005
    Location
    Saratoga, CA
    Posts
    11,495
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can use the group-policy editor to turn on BitLocker encryption and use a USB dongle as the key rather than TPM...

  3. #3
    Senior Member
    Join Date
    Aug 2006
    Posts
    998
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DannoXYZ View Post
    You can use the group-policy editor to turn on BitLocker encryption and use a USB dongle as the key rather than TPM...
    I'm doing that right now with a USB drive. However, anyone who grabs the dongle from the machine can unlock the machine, and I want it to boot even when I'm not home if there is a power failure in case family wants to use it.

    The TPM + Bitlocker solves two problems. Keeping baddies out with whole disk encryption, and not having to require a password to boot a server, so it can restart after an update. The TPM keeps people from booting a CD and getting access to the stored data, while not forcing anyone on site to know a special password to boot the machine.
    Last edited by mlts22; 04-21-08 at 01:39 AM.

  4. #4
    Senior Member DannoXYZ's Avatar
    Join Date
    Jul 2005
    Location
    Saratoga, CA
    Posts
    11,495
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well... all of the Intel Macs have TPM 1.2 if you want to use one of them. Why do you need such high-security on a home machine?

  5. #5
    Senior Member
    Join Date
    Aug 2006
    Posts
    998
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DannoXYZ View Post
    Well... all of the Intel Macs have TPM 1.2 if you want to use one of them. Why do you need such high-security on a home machine?
    Its actually not too high security. I urge anyone and everyone who has a laptop to use some type of hard disk encryption. High security is my laptop that has to have a smart card and a passphrase to boot. Too many wrong password guesses, smart card zaps itself.

    Couple reasons for this security. Here in Austin there is a crime ring working the rounds of stealing laptops and other computer parts (including people wandering around pretending to be lost in office buildings looking around for the right moment to lift something.) Once the laptop is stolen, its fenced to another criminal group that contacts the owner of the laptop via either anonymous remailers or SPIT (spam over internet telephony) and extorting money. The group will pretty tell the owner to cough up some thousands of dollars, or the data stored on the laptop will be lent to "friends" offshore for use for ID theft and directed phishing attacks.

    Encrypting data on machines (desktop/laptop/server) ensure that a hardware theft is a hardware theft, and not a hardware + data + identity theft.

    What I find ironic is that MS pushed hardware makers to have a TPM chip on everything they made post 2007. One year later, finding this security technology is quite rare unless buying a high end Dell, HP, or Lenovo laptop.

    I consider encrypting one's machine (FileVault if on Macs, TrueCrypt if on Linux, or TrueCrypt/PGP/Bitlocker if on Windows) the same thing as locking the deadbolt on the door when leaving for the morning. Its even less of a hassle than that because the only time I even notice a hard disk encryption program is when I do a reboot and need to type one line of text.

  6. #6
    Seņior Member ItsJustMe's Avatar
    Join Date
    Sep 2005
    Location
    Michigan
    My Bikes
    Windsor Fens, Giant Seek 0 (2014, Alfine 8 + discs)
    Posts
    11,552
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    If it boots up and allows its shares to be accessed without a password, what's the good of the encryption?

    Just curous. I'm a long-time Truecrypt believer, and think anyone who has data that they care about stolen got what was coming to them for being lazy.
    Work: the 8 hours that separates bike rides.

  7. #7
    Senior Member
    Join Date
    Aug 2006
    Posts
    998
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ItsJustMe View Post
    If it boots up and allows its shares to be accessed without a password, what's the good of the encryption?

    Just curous. I'm a long-time Truecrypt believer, and think anyone who has data that they care about stolen got what was coming to them for being lazy.
    I'm also a long time TrueCrypt user as well. For servers, Bitlocker is engineered for security, but with different goals as TrueCrypt. TrueCrypt is to protect against well nigh everything that comes at it, including the guys with the rubber hose. BitLocker makes some security compromises in return for some data recovery features which are needed in corporate IT. For example, BitLocker asks one to print out and save the volume AES key so you can manually enter that, in case of emergency. Its assumed that the user will store the AES key info in a locked location. On Active Directory domains, BitLocker can also store recovery keys in the Active Directory schema, allowing IT staff access to a laptop that was used by a terminated employee, for example.

    What the TPM chip does with a Bitlocker system is first scan the MBR and first boot sectors to check if it matches a valid hash. Then, and only then, does it pass the volume key to the booting machine which allows it to decrypt, boot, and go online. If someone pulls the hard disk or tries to modify the boot loader (to try to put a keylogger on for storing the volume key somewhere), the TPM will catch the modified code and refuse to pass the key, requiring the drive to be unlocked either by a keyfile (stored on a USB flash drive in a secure place), or a manually punched in set of characters.

    The advantage for a server: Attacks are limited to the logon screen and from remote (things which TrueCrypt can't protect against anyway). Someone can't just boot up a Knoppix CD, and use a copy of Ophcrack to pull out passwords. Someone can physically steal the server, but they would still be stuck trying to guess passwords by hand at the winlogon screen.

    Bitlocker serves most business needs. It will keep a server at a remote location able to boot and be usable by employees who are not authorized to have admin rights, but yet keep data stored on the system and other volumes encrypted, inaccessible unless someone manages to get admin rights to the machine. Bitlocker is highly secure, and does not have any security holes that TrueCrypt doesn't have, but Bitlocker is engineered for recoverability so IT people can regain access to encrypted volumes. TrueCrypt is engineered with security in mind, and the only real way to have IT people recover an encrypted volume with a lost passphrase is for them (the IT staff) to have saved a header backup with a known passphrase beforehand.

    If you want a passphase for booting, all TPM chips can have one enabled where if someone typos the passphrase wrong more than 5 times, the TPM will lock, and the drive contents will be inaccessible (until you manually unlock the drive with its main key).

    I would recommend looking at the BitLocker wiki and MS's article (http://tinyurl.com/3y9frd) for further tech details.

    To sum up: Bitlocker is akin to a pair of pliers, and TrueCrypt is akin to a pair of needle nose pliers. Both serve similar purposes, but they address needs for totally different people.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •