Encryption technologies provide secure key storage, cryptographic functions, and data privacy. In this video, you’ll learn about HSMs, TPMs, secure enclave, and more.
If you were to look on a modern motherboard, you would find a chip or a subsystem called a Trusted Platform Module, or a TPM. This is a standardized bit of hardware that is specifically designed to provide cryptographic functions for that computer. If you want to do anything with cryptography, such as generating random numbers or keys, you can do that by using the TPM. The TPM also has persistent memory, so you can have keys that have been created and burned into this TPM that are unique to only this machine.
This becomes especially helpful if you need some type of secure key generation that you could use for something like full-disk encryption. This can also securely store these keys on your local machine. So if you wanted to use a different set of keys for BitLocker, you could have the TPM create and store those keys on that system. This is also password protected, and there’s no way to use a brute force or dictionary attack to gain access to the information stored in your TPM.
You can think of a TPM as providing encryption functions for a single device. But in our data centers, we need to provide cryptographic functions for hundreds or thousands of devices. For that large-scale cryptographic use, we would want to use a Hardware Security Module, or HSM. HSMs in large environments are usually clustered together, and there’s redundancy, such as power supplies and network connectivity, so that you will always have access to the HSM.
Imagine having a thousand web servers in your data center and you need someplace to securely store all of the encryption keys for all of those servers. In that scenario, you would use the HSM to provide the secure storage for all of those systems. For this large-scale cryptography, it’s more efficient if you are able to perform these cryptographic functions in the hardware of the device itself. So, many HSM devices will have a separate plug-in card or separate hardware that can connect to the HSM that is specifically designed to perform very fast cryptographic functions.
These devices are also specially designed to securely store keys. This allows you to store all of those sensitive keys on a centralized HSM but prevents unauthorized access to those keys. And additional hardware such as cryptographic accelerators can be used on an HSM, especially if the HSM needs to perform encryption and decryption in real time in large-scale computing environments.
So now we’ve got encryption keys that are used for our web servers. We have encryption keys for full-disk encryption on our individual devices. Each individual user may have their own certificates. So we need some way to manage all of these keys. Fortunately, we can provide this type of management through a centralized key management system. You can run these key management systems on devices that are on your premises, or it may be a cloud-based system that can be accessed from anywhere.
This allows you to manage all of these very different keys from one single management console. And this also keeps all of the keys separate from the data that you’re trying to protect. So you might create a series of keys. Maybe it’s an SSL or TLS key for a web server. Maybe it’s an SSH key to provide remote access to a console. Or it’s keys that you would use for Active Directory or for BitLocker.
Once you create the keys, you would associate those with specific users in the software of the key management system. And you can set up an automatic key rotation so that you’re constantly changing out keys as time goes on. This is also a great place to provide logging and reporting of all of the keys and how you’re using them in your environment. Here’s the dashboard of the key management system, which gives us a summary of the types of keys that we’re using. We can see what certificate authorities have been used, when certificates might expire, details for licenses, and more.
If you wanted to see the keys we were using for our web servers, we can click on SSL. And now we can see what keys have been created and what server they’re associated with. We can look up similar key information for SSH console communication, where you could see the key name, the fingerprint and other details, and where this key might be used. And of course, we can create reports that can give us information on how these keys are being used, what keys are currently active, which keys are inactive. And we can get a summary of how often these keys are being utilized.
When all of our data was stored on one central mainframe computer, it was relatively easy to provide security. We just had to keep anyone from gaining access to that one source of data. But of course, today, our data is spread across many different systems. We have data on a laptop, a mobile phone, on our computers at home, and many other locations. So how do we maintain the privacy of our data, even though we seem to be distributing this data onto many different systems?
Another challenge we have is that as soon as we find a secure way to store data, the attackers find ways to gain access to that data. It’s a constant race to stay one step ahead of people that are trying to get their hands on your information. Another challenge is that all of this data that we’re using is constantly changing. So we not only need to protect and keep this data private, but we also need ways to easily change that data at any time.
One way that we’re providing this privacy of our data is through the use of a secure enclave. A secure enclave is a security processor that’s built into the systems that we’re using. You probably have one on your mobile phone, perhaps even in your laptop, or even your desktop systems. This is not considered the primary CPU of your system. This is a separate processor whose job is solely dedicated to the privacy of your data.
Different manufacturers will also have different names for this security processor, but we generally refer to it generically as a secure enclave. This is the technology that allows you to keep all of your data private, even if your phone and other devices were to fall into the hands of someone else. This is a separate secure processor that has its own boot ROM. It manages and monitors all of the processes on your system, especially during the boot process.
It has a true random number generator. It can do real-time encryption of all of the data as it moves in and out of memory. It has cryptographic keys that are built in that cannot be changed and that can be used as a root for all of the other cryptography on your system. And it does AES encryption in the hardware of your device. This is just a summary of the things that are available inside a secure enclave. But you can see that the power of these processors works to keep all of your data private, regardless of where it happens to be.