Where to buy a 20-pin TPM (Trusted Platform Module)?

[SeanTek]

I'm interested in getting a Trusted Platform Module (TPM) for the new desktop rig that I am building, mostly for enhanced security with BitLocker. Currently, I'm looking at the Gigabyte GA-Z68X-UD3P-B3, which has a 20-pin TPM header.

Does anybody know where to buy a TPM? I am told from different sources (Gigabyte tech support, Asus tech support, etc.) that the connector is standard and therefore I can just go out and buy it "anywhere". Unfortunately, a search online has not uncovered a hug trove of TPMs just waiting for the buying.

Of all TPMs, only the Infineon TPM has been certified by the Trusted Computing Group. I would like to avoid others for fear of backdoors. I found this one but if you look closely at the pinout diagram, it differs slightly from documentation from several motherboard manufacturers--I checked Gigabyte, Asus, and Supermicro. So, I have no idea if it will work or not.

 

[Nate7311]

Google Shopping Search

 

[SeanTek]

Yes, I did that (as indicated my first post). The "20-pin Infineon TPM module" is the only real result, and it has the pinout diagram problem that I described.

 

[ptruman]

Hi there.

Same problem as you, except I solved it

I posted the solution on my site : http://sites.google.com/site/techbobbins/home/articles/gigabyte-motherboard-tpm-compatibility

 

[AMD_Gamer]

You guys using Bitlocker?

 

[ptruman]

I am now - set it up to teach myself about it yesterday.
Currently setup as TPM+Key mode (key on a USB stick) and working.

Damned expensive experiment!

A supposed $8 TPM module cost me about $50 (with shipping out of Europe after I finally found it) plus the trip to pick up the 2 x $3 header extenders, and then the Windows Home Premium upgrade to Ultimate!

I'll list what I did - which is (in hindsight) the wrong way around - I think I should have gone the group policy bits FIRST, but I didn't - and it's working, so....

First off, enable BitLocker on the system drive and backup the keys to a USB stick. Also, save them to another file somewhere else, and print them out (and put the printouts somewhere secure). These are the recovery keys - lose them, your system is toast.

Then reboot, and all is normal.

Then open up an administrative command prompt and run:

manage-bde -protectors -get c:

That will list three keys, which should list three keys (Numerical, External and TPM).

Then I put a different USB key in, and ran :

manage-bde -protectors -add c: -TPMAndStartupKey X:

Replace X: with the drive letter of the USB key.

Which added a new ID for "TPM with startup key" and put it on the USB drive, which is now your startup token - but your system is still set not to use it.

You can validate it's there by running the "get" command again - but now your C: drive has four keys/ways to start/unlock - although none are enabled - yet.

Then, using Group Policy, go to :

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

Double click the "Require additional authentication at startup" setting.
Switch the setting to "Enabled" (all the lower options will enable).

DISABLE (uncheck) "Allow BitLocker without a compatible TPM" - this obviously means you HAVE to have a TPM module installed.

Then, change the other dropdown to the following settings:

Configure TPM startup : Do not allow TPM
Configure TPM startup PIN : Do not allow startup PIN with TPM
Configure TPM startup key : Require startup key with TPM
Configure TPM startup key and PIN : Do not allow startup key and PIN with TPM

The bold one is the important one. If you look at each dropdown you will see they have three options - Allow, Require and "Do Not Allow". Allow means you could use the option, or not. "Do Not Allow" means you cannot use it, and Require means you must.

Click "Apply", remove the USB drive and reboot.
Before the "Starting Windows" screen appears, you should now get a nice DOS-esque window telling you you need a startup key, or to enter recovery mode. Put the USB startup key in, press ESC and the machine will reboot, and this time, start as normal.

The next thing to do is remove the keys you don't need. Run :

manage-bde -protectors -get c:

Note the ID strings for each key (including the {} curly brackets). Then run:

manage-bde -protectors -delete C: -id {KEY ID HERE INCLUDING CURLY BRACKETS}

Do this ONLY for the External Key and the TPM (only) key.
This should leave you with the Numerical Password and the "TPM And Startup Key". This means you can now only unlock C: (i.e. boot) with the recovery key (numerical ID, which you printed out earlier) AND the USB drive.

At this point however, only your boot disk is secure - so now you can encrypt any other partitions/disks you have - but when you do so, set them to automatic unlock. Also, save/print their unlock keys (NOT to your startup USB key!).

Once you've encrypted a new disk, there is one more step to take. Again, run

manage-bde -protectors -get Y:

Where Y: is the newly encrypted drive.
You will see a new type of key, called with "Automatic Unlock Enabled" under it.

Remove ALL other keys for that drive except the Numeric Password and the key ID which states it's the automatic unlock one. (i.e. remove TPM and External Key (no automatic unlock))

This drive does not need a startup key, as it's not the boot disk. The key for this drive is put in your registry, under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FVEAutoUnlock
(which should be inaccessible to you)

When you unlock the boot disk, Windows will access that key and unlock your other disks automatically.

Obviously, if you want to use TPM + Key + PIN, change the methods above to use TPM + Key + Pin instead of just TPM + Key. When you tell manage-bde to use a PIN, it will ask you for one - just make sure you remember it

Also, note that the you cannot just "copy" the startup key file (.BEK extension) to a new key, if you have multiple users. You must open Explorer, right click your C: drive, select "Manage Bitlocker" and select "Duplicate Startup Key". This is because Windows checks the physical ID of the USB key, to check someone hasn't just got hold of your drive and swiped the file.

Obviously, don't lose your USB fob, or your print out recovery keys!

This set of instructions is valid for anyone using a TPM module (not just the TPM module/motherboard combo I used) - although your BIOS must be capable from booting from USB to let the key be read....

Hope that helps!