Hardware-based Encryption – CompTIA Security+ SY0-401: 4.4


You can add additional security features by using hardware to assist with the encryption process. In this video, you’ll learn about trusted platform modules, hardware security modules, usb encryption, and hardware-assisted hard drive encryption.

<< Previous Video: Data EncryptionNext: States of Data >>


If you hear the term “trusted platform module” or TPM, it’s referring to probably one of two different things. One of those things is the standard that is used for cryptographic functions that’s then applied usually onto a piece of hardware. So sometimes you’ll hear of the TPM standard or specifications.

You’ll also hear of TPM chips that are on the motherboards or our computer systems themselves. And that is where we’ll have this hardware built into our computer to help us out with all of this encryption and these other types of cryptography functions that we run into these days.

One of the things that’s on a TPM is a cryptographic processor. This is a processor that is built as a random number generator. It has key generators built in it. A lot of the heavy CPU usage that is done with doing any type of cryptography uses some of these standard processes. So having a piece of hardware that can do that rather than the main CPU of your computer is going to be helpful.

There’s also inside of the TPM something called persistent memory. There are a number of unique keys that are burned into the hardware when this is produced. And those keys obviously can’t be changed because they’re burned into the hardware. That’s really useful if we need to now have a key that’s already pre-generated that we can then create other types of encryption methods with.

Another function of a TPM is versatile memory. This is memory where we can store information. For instance, we can store keys in our TPM. Another thing that’s useful is you could have a piece of software scan a piece of hardware, scan the hard drive, scan the motherboard, scan the memory inside of your computer, and then store that information inside– cryptographically store it– inside the TPM.

And then when your software starts up again, it can perform the same checks, compare it to what it saw last time, and see if somebody might have changed out the hard drive. See if somebody changed the amount of memory inside of a system. And you know that the change occurred because you were able to cryptographically sign it and store it in a way that was secure. And you know if anything was to happen to that computer.

This information is being stored on the TPM and accessed via a password, so one of the things built into this very smart processor is a way to prevent brute force attacks or dictionary attacks of the TPM itself. That way you can be sure that your password isn’t one that somebody’s going to be able to find just by going through a huge list of dictionary words.

When you get into large scale or high end cryptography, you’ll often run into these devices. These are hardware security modules or HSMs. You’ll usually see them as plug-in cards or PCI-type adapters in a computer. They may also be a separate standalone hardware device. And they can do a lot of things for us. They can back up our keys and keep them in a very secure environment so that nobody can access those keys except for us.

These may also have on them cryptographic accelerators. So a lot of the things that our systems are doing to be able to encrypt and decrypt and create keys and validate keys can be offloaded onto one of these specially designed pieces of hardware.

You’ll usually see these HSMs used in very large environments, especially ones where there is a lot of cryptography in use– financial organizations, credit card information, that type of thing. And usually you can cluster them together. There’s redundant power that you can get for them. That way, they can be very, very redundant and reliable. And even if you lose one of them, you can be assured that your cryptography functions will still continue to operate.

Our mobile USB data drives now are also getting very, very smart. There’s a lot of data encryption, hardware encryption built right into some of these USB keys. This is hardware-based encryption that’s built as part of the USB key itself. If you have a key, you can be assured that the data on the key is always going to be encrypted. And we mean high speed encryption. It’s AES 256-bit. It’s very strong encryption that is on these USB drives.

There’s security software that’s also built into this. In fact, many of these come with a browser already as part of the USB key. Because you know that browser’s one that’s going to be trusted and you can browse the net and be assured that nobody can look in on what you’re doing.

This can also be used as a secure token. So if you’re carrying around a pseudo random number generator or you’d like to have a two-factor or method to single sign on, you can use these USB encryption keys to be able to perform that function as well.

And because these are so important and they carry such important data, they usually have a remote management function built into it. So if you happen to lose the USB key, an administrator can assign that key to be deleted the next time it has ever seen anywhere. Somebody plugs this into a computer, that USB key is going to talk out to the internet, it’s going to realize that it’s no longer in the hands of the person who originally had it, and it’s automatically going to wipe everything that’s on that USB drive. So some very nice remote administrator functions there as well.

We talked in an earlier video about full disk encryption. But that is software that comes as part of your operating system or software you can get from a third party to load on to your system. And it requires a little bit of software.

But there is also hard drive encryption that you can get that is completely invisible to the operating system. It is hardware itself where you would plug in a drive into this encryption device and then continue that back off to the motherboard. It sits in the middle between your motherboard and the drive itself. And so everything flowing through here gets encrypted. It is one that can also integrate with the USB key.

So you can step up to your computer, plug in your USB key, and only if the key is on that USB drive are you going to have access now to the data that’s contained on that encrypted hard drive. It is something that is very well engineered where you can simply have one connection going in and one connection going out. It’s very high speed. You don’t even know it’s there. And the encryption on here is very strong. So if somebody was to get a hold of your hard drives, they would still not have access to that data.

You can even chain them together. You might have a requirement that two people have to be there to gain access to that data. Both people have to plug their USB keys in and only then is the data available and on that hard drive. So a lot of nice hardware features there.

These days, with all of the types of data that we have and all of the importance associated with that data, we need to make sure that we’re able to use some of these hardware-based encryption methods to keep that data safe.