Secure Boot and TPM (what does it do to the system drive)

Hi

I'm becoming more and more confused over TPM and perhaps to a lesser extent on Secure Boot. Sure, I've got both enabled on my PC but exactly what do they do, particularly TPM? Yes, the TPM stores keys (or parts of keys) and generally provides a higher level of security of which I fully approve. However, what I'm uncertain of is: what does it do to the System Disk? I've heard all sorts of people imply that it actually encrypts the system drive but I've not found anything definitive about this. I've read many articles hoping to get the answer but no-one is saying anything about this so can it be assumed that it doesn't encrypt the System Drive? What I do know is that it enables a disk to be encrypted using Bitlocker but beyond this I have little idea what it does. One thing I'm sure of is that the TPM does a lot more than my current understanding suggests.

There's also the question of what should be done when installing a new OS, Windows 11 for example. Should both Secure Boot and the TPM be disabled? Are there any other times that these two items should be disabled, for example when stripping the PC down ready for a re-build? Perhaps both items should be disabled before doing anything which changes its configuration, e.g. installing a new GPU or even a hard drive/SSD. I just don't know what the implications are with both Secure Boot and TPM enabled.

I'm hoping someone on this forum can help me on this matter and perhaps point me towards web pages that may explain it and help clear up my confusion. Any help would be most appreciated. Thank you.

Tracey

PS I'm currently on the latest version of Windows 10 (21H1) with all updates installed as they come in.

Thanks for getting back to me so quickly Pejole2165.

I've had a look at the site you mention but it still doesn't say whether the System Disk is encrypted or whether you should disable Secure Boot and TPM when doing anything serious to your PC. I have three PCs here that I am looking after and it would be nice to know what happens. Does TPM just enable encryption or does the TPM itself do the encryption. Presumably it does something to the drive otherwise you could remove the drive and use it anywhere else, as is, any time you wanted -- but what does it do???

Tracey

Samuria

I know TPM is in Bios. Don't forget I did say had it enabled on my PC and to do that I had to go into my UEFI setup firmware. What I asked was "What does it do to the System Drive" and "Does it have to be disabled before installing, for example, Windows 11 or even changing a hard drive".

I have heard several people imply that it encrypts the System Drive but I've been unable to get a straight answer to that question either by reading many web pages or asking on this forum -- so far! Obviously something is done to the drive otherwise I could take it out change the drivers and carry on using it elsewhere but I apparently this can't be done. However, no-one is telling what it does to the hard drives or whether there are occasions when you have to disable TPM (and Secure Boot). The only conclusion I can come to is that no-one really knows.

Please don't think I'm having a go at you. I'm sorry if that is how you feel but its certainly not my intention and its not why I started this thread. All I am trying to do is learn a lot more about the TPM and Secure Boot.

Tracey

Samuria

Thanks for getting back to me. So are you saying that what I believed was true is in fact wrong in that you can remove the drive, change the drivers and reuse the drive elsewhere all without disabling the TPM? Everything I've heard suggests you can't do that, at least not with the TPM enabled.

Tracey

Samuria said:

TPM is used by things like bitlocker as it creates longer keys tpm its self doesnt do anything you can clear everything in tpm with a simple cmd

Tracy: I suspect I am in the same confused position as are you: where is the protection if what Samuria and Pejole say is true? (and I am not doubting them for a moment). It seems to me that the one situation where the TPM would protect would be if the HDD/SDD was encrypted with a key stored in the TPM, and then the disc became detached from the motherboard which 'contains' the TPM - then it would be difficult[*] to decrypt the data - but how often is this going to happen? If someone steals my laptop, complete with encrypted disc and TPM module, they can (apparently) do anything I can do. How is my data on the laptop any safer than with non-TPM encryption (where I know the key, and keep it secret)? I think this is the stance that the Veracrypt maintainers adopt. See VeraCrypt - Free Open source disk encryption with strong security for the Paranoid
[*] Since any electronic thing can fail, then having the decryption key only stored in the TPM would be a risk - AIUI, in the case of Bitlocker (and, I imagine, any decent product) one can always use one's backup recovery key - the TPM module just keeps a (partial) decryption key handily available, and as this article says
What is a TPM, and Why Does Windows Need One For Disk Encryption?
it means that something more than what is on the TPM is required: apparently one's Windows login info. The TPM becomes the 'have' part of the security pairing: something you have and something you know - not that I read that anywhere, I just thought of it - it may be nonsense.

PS I don't use encryption.