topic Re: need explanation TPM Binding (DL 380 Gen 9) in ProLiant Servers (ML,DL,SL)

need explanation TPM Binding (DL 380 Gen 9)

PhS- — Mon, 03 Feb 2020 14:33:16 GMT

Hello,

I would like some clarification on the BIOS Option "TPM Binding"

• TPM Binding — Sets whether data is encrypted using a TPM bind key, a unique RSA key.

Which Data are we talking about ? What is the TPM Bind key ( compare to the TPM not-bind? key )

Context :DL380 Gen 9 / Windows Server 2016 - 2019 / Bitlocker / TPM attestation ... etc etc

Thank you in advance.

Re: need explanation TPM Binding (DL 380 Gen 9)

DeepakJajware — Wed, 05 Feb 2020 16:42:50 GMT

Hello

The HPE Trusted Platform Module (TPM) works with programs such as Microsoft Windows® BitLocker™ to increase data security by storing the encryption startup key in hardware on the server, which provides a more secure environment by pairing the drive to the server. Pairing the drive to the server helps prevent the encrypted drive from being read if inserted in a different server. The HPE TPM can also store passwords, certificates, and encryption keys that can authenticate server hardware and software through remote attestation while the measured boot capability enhances the effectiveness of anti-malware solutions.

The HPE TPM options conform to the Trusted Computing Group specifications and provides hardware-based authentication and tamper detection preventing a TPM from being moved to another server or replaced.

Configuring Trusted Platform Module options

Procedure

From the System Utilities screen, select System Configuration > BIOS/Platform Configuration (RBSU) > Server Security > Trusted Platform Module options and press Enter.
Select an option and press Enter, then select a setting for that option and press Enter again. On servers configured with an optional TPM, you can set the following:
1. TPM 2.0 Operation—Sets the operational state of TPM 2.0. Options are:
  - No Action—There is no TPM configured.
  - Enabled—TPM and Secure Boot (when enabled) are fully functional.
  - Disabled—TPM is visible but functionality is limited. This option also resets TPM to factory settings, clearing assigned passwords, keys, or ownership data.
    
    NOTE:
    Disabling TPM can prevent the server from booting to the TPM-aware operating system if the OS uses TPM measurements.
2. TPM 2.0 Visibility—Sets whether TPM is hidden form the operating system. Options are:
  - Visible
  - Hidden—Hides TPM from the operating system. Secure Boot is disabled and TPM does not respond to any commands. Use this setting to remove TPM options from the system without having to remove the actual hardware.
3. TPM Binding—Sets whether data is encrypted using a TPM bind key, which is a unique RSA key. Options are:
  - Enabled
  - Disabled
4. TPM UEFI Option ROM Measurement—Enables or disables (skips) measuring UEFI PCI operation ROMs. Options are:
  - Enabled
  - Disabled
Verify that your new Current TPM Type and Current TPM State settings appear at the top of the screen.
Press F10.

Thank you for Contacting HPE

Re: need explanation TPM Binding (DL 380 Gen 9)

PhS- — Thu, 06 Feb 2020 12:22:13 GMT

Hello,

Thank you for the Copy Paste from a documentation, but I am hoping for a real "human" answer.

"The HPE TPM options conform to the Trusted Computing Group specifications and provides hardware-based authentication and tamper detection preventing a TPM from being moved to another server or replaced."

I can insure you that recently the mother board was replaced and the TPM was "transported" from the deffetive montherboard to the new one .

My question is focussed on the understanding of

3. TPM Binding—Sets whether data is encrypted using a TPM bind key, which is a unique RSA key.

What is the bind key ? (How is it different to the non-bind key)

Which data are we talking about ?

Re: need explanation TPM Binding (DL 380 Gen 9)

TQ12 — Tue, 17 May 2022 06:28:02 GMT

hi there
no expert on the topic but had the same question.
i found the following article that helped me:
TPM functionality – ITris Academy (wordpress.com)
just search inside the page for tpm binding.
regards