WEBVTT 1 00:00:00.000 --> 00:00:01.590 In this lesson, 2 00:00:01.590 --> 00:00:04.560 we will learn about roots of trust. 3 00:00:04.560 --> 00:00:07.020 Roots of trust are the foundation 4 00:00:07.020 --> 00:00:10.050 upon which all secure operations 5 00:00:10.050 --> 00:00:12.510 of a computing system depend. 6 00:00:12.510 --> 00:00:14.850 Roots of trust contain the keys 7 00:00:14.850 --> 00:00:17.130 used for cryptographic functions 8 00:00:17.130 --> 00:00:20.100 and enable a secure boot process. 9 00:00:20.100 --> 00:00:22.080 They are inherently trusted 10 00:00:22.080 --> 00:00:25.710 and therefore must be secure by design. 11 00:00:25.710 --> 00:00:27.540 Roots of trust concepts 12 00:00:27.540 --> 00:00:31.770 include Trusted Platform Modules or TPMs, 13 00:00:31.770 --> 00:00:35.130 Virtual TPMs or vTPMs, 14 00:00:35.130 --> 00:00:39.450 and Hardware Security Modules for HSMs. 15 00:00:39.450 --> 00:00:43.260 Let's learn more about roots of trust concepts. 16 00:00:43.260 --> 00:00:47.983 First, we have Trusted Platform Modules or TPMs. 17 00:00:47.983 --> 00:00:52.410 A TPM is a physical chip installed on a motherboard 18 00:00:52.410 --> 00:00:55.470 that acts as a hardware root of trust 19 00:00:55.470 --> 00:00:58.710 located within the BIOS of your system. 20 00:00:58.710 --> 00:01:02.550 The TPM securely stores cryptographic keys, 21 00:01:02.550 --> 00:01:05.370 digital certificates, hashed passwords, 22 00:01:05.370 --> 00:01:08.610 and performs cryptographic operations. 23 00:01:08.610 --> 00:01:13.290 The TPM plays a critical role in ensuring secure boot 24 00:01:13.290 --> 00:01:16.860 and system integrity by validating the BIOS, 25 00:01:16.860 --> 00:01:20.280 operating system, and other critical components 26 00:01:20.280 --> 00:01:24.630 during startup to ensure they have not been tampered with. 27 00:01:24.630 --> 00:01:28.620 TPMs generate and manage cryptographic keys, 28 00:01:28.620 --> 00:01:30.990 including RSA keys, 29 00:01:30.990 --> 00:01:34.560 and they use a true random number generator 30 00:01:34.560 --> 00:01:37.230 to support secure key creation. 31 00:01:37.230 --> 00:01:40.410 The TPM includes persistent memory 32 00:01:40.410 --> 00:01:43.320 for crucial keys like the endorsement key 33 00:01:43.320 --> 00:01:47.610 and storage root key, along with versatile memory 34 00:01:47.610 --> 00:01:50.880 for storing platform configuration registers 35 00:01:50.880 --> 00:01:53.520 and attestation identity keys. 36 00:01:53.520 --> 00:01:58.440 In application, a physical server uses its TPM 37 00:01:58.440 --> 00:02:00.780 to secure its boot process, 38 00:02:00.780 --> 00:02:04.470 ensuring that it starts up in a secure state. 39 00:02:04.470 --> 00:02:08.550 TPMs also work with full disk encryption solutions 40 00:02:08.550 --> 00:02:11.910 like BitLocker, using stored encryption keys 41 00:02:11.910 --> 00:02:16.470 to keep data safe even if a device is lost or stolen. 42 00:02:16.470 --> 00:02:19.380 Wow, that is a lot of functionality 43 00:02:19.380 --> 00:02:22.740 located in this one little TPM chip. 44 00:02:22.740 --> 00:02:24.847 So you are probably wondering, 45 00:02:24.847 --> 00:02:27.960 "Do I have to memorize all of those different things, 46 00:02:27.960 --> 00:02:30.510 all of those different keys for the exam?" 47 00:02:30.510 --> 00:02:32.400 Well, no, not really. 48 00:02:32.400 --> 00:02:34.980 Instead, you really need to remember 49 00:02:34.980 --> 00:02:38.190 that the Trusted Platform Module or TPM 50 00:02:38.190 --> 00:02:40.260 is a hardware route of trust, 51 00:02:40.260 --> 00:02:44.430 and that it helps ensure your system boots securely. 52 00:02:44.430 --> 00:02:46.350 It does this by a testing 53 00:02:46.350 --> 00:02:48.960 that the BIOS has not been modified 54 00:02:48.960 --> 00:02:51.570 and that the firmware can be trusted. 55 00:02:51.570 --> 00:02:53.670 Additionally, for the exam, 56 00:02:53.670 --> 00:02:58.140 you do not need to know how to modify or configure your TPM. 57 00:02:58.140 --> 00:03:00.180 However, in the real world, 58 00:03:00.180 --> 00:03:02.400 you may be asked to work with them, 59 00:03:02.400 --> 00:03:06.210 so it's important to be familiar with the process. 60 00:03:06.210 --> 00:03:09.090 So if needed, you could always refer 61 00:03:09.090 --> 00:03:12.900 to the latest documentation on microsoft.com 62 00:03:12.900 --> 00:03:15.660 for guidance on how to properly modify 63 00:03:15.660 --> 00:03:20.430 and configure your TPM based on your specific needs. 64 00:03:20.430 --> 00:03:25.430 Second, we have Virtual Trusted Platform Modules or vTPMs. 65 00:03:26.640 --> 00:03:29.490 vTPMs Extend the functionality 66 00:03:29.490 --> 00:03:33.690 of physical TPMs into virtualized environments. 67 00:03:33.690 --> 00:03:37.860 Unlike physical TPMs, which are hardware based, 68 00:03:37.860 --> 00:03:41.370 vTPMs are software implementations 69 00:03:41.370 --> 00:03:45.060 that emulate the security features of TPMs 70 00:03:45.060 --> 00:03:46.980 within virtual machines, 71 00:03:46.980 --> 00:03:50.190 providing a virtual route of trust. 72 00:03:50.190 --> 00:03:54.900 vTPMs generate and manage cryptographic keys, 73 00:03:54.900 --> 00:03:58.230 secure the boot process of virtual machines, 74 00:03:58.230 --> 00:04:03.230 and validate system integrity just like physical TPMs. 75 00:04:03.300 --> 00:04:07.230 They handle key generation, encryption, decryption, 76 00:04:07.230 --> 00:04:09.270 and signature verification, 77 00:04:09.270 --> 00:04:11.880 allowing virtual machines to achieve 78 00:04:11.880 --> 00:04:15.840 the same level of security as physical devices. 79 00:04:15.840 --> 00:04:20.840 Managed through platforms like VMware or Microsoft Hyper-V, 80 00:04:21.420 --> 00:04:24.780 vTPMs allow virtual instances 81 00:04:24.780 --> 00:04:28.260 to maintain individual security postures 82 00:04:28.260 --> 00:04:31.380 while benefiting from the same attestation 83 00:04:31.380 --> 00:04:36.380 and cryptographic capabilities provided by physical TPMs. 84 00:04:36.540 --> 00:04:40.770 In practice, virtual machines on a physical server 85 00:04:40.770 --> 00:04:45.770 utilize vTPM instances to secure their own boot processes, 86 00:04:46.530 --> 00:04:49.350 creating a consistent security approach 87 00:04:49.350 --> 00:04:53.160 across both physical and virtual environments. 88 00:04:53.160 --> 00:04:54.390 For the exam, 89 00:04:54.390 --> 00:04:59.023 focus your studies on the distinguishing features of a TPM, 90 00:04:59.023 --> 00:05:03.930 a vTPM, and a hardware security module or HSM, 91 00:05:03.930 --> 00:05:06.420 which we'll talk about in just a minute. 92 00:05:06.420 --> 00:05:07.380 In this case, 93 00:05:07.380 --> 00:05:11.880 a vTPM provides the same functionality as a TPM, 94 00:05:11.880 --> 00:05:15.060 but is designed specifically for virtual machines, 95 00:05:15.060 --> 00:05:17.640 offering similar security measures 96 00:05:17.640 --> 00:05:19.950 in a virtualized environment. 97 00:05:19.950 --> 00:05:21.450 Third and last, 98 00:05:21.450 --> 00:05:25.470 we have Hardware Security Modules or HSMs. 99 00:05:25.470 --> 00:05:29.160 HSMs are dedicated hardware roots of trust 100 00:05:29.160 --> 00:05:32.880 designed to manage and protect cryptographic keys 101 00:05:32.880 --> 00:05:35.760 and perform cryptographic operations 102 00:05:35.760 --> 00:05:38.040 across multiple machines. 103 00:05:38.040 --> 00:05:42.660 Unlike TPMs, which are embedded on individual motherboards, 104 00:05:42.660 --> 00:05:45.630 HSMs are standalone appliances 105 00:05:45.630 --> 00:05:49.290 or specialized cards that offer a high security 106 00:05:49.290 --> 00:05:52.440 for key management, encryption, decryption, 107 00:05:52.440 --> 00:05:55.590 and digital signatures on a larger scale 108 00:05:55.590 --> 00:05:58.110 and across multiple devices. 109 00:05:58.110 --> 00:06:01.560 HSMs are used in enterprise environments 110 00:06:01.560 --> 00:06:03.720 to handle cryptographic tasks 111 00:06:03.720 --> 00:06:07.410 that require robust protections against tampering 112 00:06:07.410 --> 00:06:09.540 and insider threats. 113 00:06:09.540 --> 00:06:13.800 They also provide a secure environment for generating keys 114 00:06:13.800 --> 00:06:18.800 such as RSA, Elliptic Curve, and AES keys. 115 00:06:18.960 --> 00:06:21.540 They also store these keys securely 116 00:06:21.540 --> 00:06:24.390 to prevent unauthorized access. 117 00:06:24.390 --> 00:06:26.760 HSMs are commonly used 118 00:06:26.760 --> 00:06:31.500 to protect master encryption keys across physical servers 119 00:06:31.500 --> 00:06:33.090 and virtual machines, 120 00:06:33.090 --> 00:06:36.780 ensuring centralized secure key management. 121 00:06:36.780 --> 00:06:38.130 In application, 122 00:06:38.130 --> 00:06:41.580 Hardware Security Modules can be used to manage 123 00:06:41.580 --> 00:06:45.510 and protect encryption keys for multiple servers. 124 00:06:45.510 --> 00:06:49.740 So HSMs are dedicated hardware devices 125 00:06:49.740 --> 00:06:53.190 designed to manage and protect cryptographic keys 126 00:06:53.190 --> 00:06:55.800 and perform cryptographic operations 127 00:06:55.800 --> 00:06:58.320 across multiple machines. 128 00:06:58.320 --> 00:07:03.150 So HSMs are used in various business cases, 129 00:07:03.150 --> 00:07:07.440 including managing key pairs for public key infrastructure, 130 00:07:07.440 --> 00:07:10.740 encrypting PINs for payment card systems, 131 00:07:10.740 --> 00:07:15.060 processing transport layer security or TLS connections, 132 00:07:15.060 --> 00:07:18.630 and signing large DNS zone files. 133 00:07:18.630 --> 00:07:22.200 They provide a secure environment for generating 134 00:07:22.200 --> 00:07:27.200 and storing keys like RSA, Elliptic Curve, and AES keys, 135 00:07:27.300 --> 00:07:28.890 which we've already mentioned. 136 00:07:28.890 --> 00:07:30.840 This ensures centralized 137 00:07:30.840 --> 00:07:34.320 and secure key management across physical servers 138 00:07:34.320 --> 00:07:35.970 and virtual machines. 139 00:07:35.970 --> 00:07:38.160 Designed to be tamper evident, 140 00:07:38.160 --> 00:07:41.940 HSMs also help mitigate insider threats 141 00:07:41.940 --> 00:07:45.750 and provide robust security for sensitive data. 142 00:07:45.750 --> 00:07:48.360 However, they can be expensive 143 00:07:48.360 --> 00:07:50.850 due to their specialized hardware, 144 00:07:50.850 --> 00:07:53.400 and they can be difficult to upgrade 145 00:07:53.400 --> 00:07:55.560 due to their physical nature. 146 00:07:55.560 --> 00:08:00.300 So remember, roots of trust are critical components 147 00:08:00.300 --> 00:08:02.940 that provide the secure foundation 148 00:08:02.940 --> 00:08:06.390 for all operations in a computing system. 149 00:08:06.390 --> 00:08:10.950 They manage cryptographic keys, validate system integrity, 150 00:08:10.950 --> 00:08:13.710 and ensure secure boot processes, 151 00:08:13.710 --> 00:08:18.120 making them inherently trusted and secure by design. 152 00:08:18.120 --> 00:08:22.020 Roots of trust include Trusted Platform Modules, 153 00:08:22.020 --> 00:08:24.390 Virtual Trusted Platform Modules, 154 00:08:24.390 --> 00:08:27.060 and Hardware Security Modules, 155 00:08:27.060 --> 00:08:29.850 each serving specific security needs 156 00:08:29.850 --> 00:08:31.920 in different environments. 157 00:08:31.920 --> 00:08:35.130 Trusted Platform Modules or TPMs 158 00:08:35.130 --> 00:08:38.580 are physical chips embedded in systems 159 00:08:38.580 --> 00:08:42.000 to manage keys and validate boot integrity. 160 00:08:42.000 --> 00:08:46.380 Virtual Trusted Platform Modules or vTPMs 161 00:08:46.380 --> 00:08:51.360 extend physical TPM capabilities to virtual machines, 162 00:08:51.360 --> 00:08:53.610 offering similar security, 163 00:08:53.610 --> 00:08:56.580 but within virtualized environments. 164 00:08:56.580 --> 00:09:01.230 Finally, Hardware Security Modules or HSMs 165 00:09:01.230 --> 00:09:03.300 are standalone devices 166 00:09:03.300 --> 00:09:07.050 that provide high level cryptographic key management 167 00:09:07.050 --> 00:09:09.180 across multiple machines, 168 00:09:09.180 --> 00:09:12.690 ensuring robust protection against tampering 169 00:09:12.690 --> 00:09:16.983 and unauthorized access in enterprise settings.