The security plus covers all kinds of hardware and firmware security and to lump it all together a little bit. I'm using this episode as my popery section to make sure that I'm covering a broad cross section of objectives that definitely fit under the idea of hardware and firmware security. So bear with me as we bounce through a couple of small but important different types of topics well, more than a couple. Anyway, let's go ahead and get started with the concept of full disk encryption or FTP. The best security you can do for mass storage is to encrypt your mass storage. And full disk encryption is one methodology that we do this now.
Typically, when we talk about full disk encryption, we're talking about using software or firmware based tools. In the windows world, we use something called BitLocker. Now BitLocker takes advantage of the concept of Trusted Platform Module. This is something that's built into pretty much all modern motherboards. Where you have a little chip on there that stores a unique key for that system, we're going to enable BitLocker on this system. And the nice part is, is that if this hard drive is ever separated from this motherboard, there is no way that anybody is going to be able to get to the data.
So let's go ahead and get started and fire up BitLocker on this system right here. So I'm just going to run over to the BitLocker configuration. There it is. Right now you can see BitLocker is off. And let's go ahead and turn it on. Whoops, this device can't use a Trusted Platform Module.
Wait a minute. All it's saying to me right now is that TPM has not been turned on. And this is a big problem with BitLocker and other full disk encryption tools. If the TPM isn't enabled and running, we're in trouble. So what we're going to have to do is let's jump into bias real quick turn on TPM. So now that we're in our bias, let's figure out where we have to go to turn on TPM.
So on this one, just because I've done it Before, it's right up here at the top Intel platform trust technology. That is despite they whether they say it or not, that is TPM. So let's go ahead and enable that. Now we're going to have to reboot, but this is ready to go. Okay, we're all rebooted. Let's try BitLocker.
One more time. Now, this time, now that I have the TPM module turned on, it should kick right over. Yay. All right. Now, the first thing it's going to ask is once a recovery key, this can be really important. If by some chance the motherboard died, for example, I wouldn't have the key the TPM module would be destroyed, and the data would be lost.
So you can actually make yourself a recovery key. You can store it in a Microsoft account, you can actually print it out on paper if you want. And it would only be used if the actual motherboard itself was destroyed in some way. Otherwise, you're not going to get this data back and by the When I say you're not going to get this data back, the United States Department of Justice, who I've done a lot of business with, is unable to currently crack BitLocker. It's a very, very powerful encryption. Now, what I'm going to do right now is I'm going to cancel this, simply because running BitLocker can take a very, very long time on the initial time, and we don't need to watch a progress bar move along.
Now BitLocker is great and full disk encryption is amazing. But for a lot of people, they want to make it even a little bit easier. And that's where we get into something like this. What I've got here is a hard drive which is self encrypting, you actually buy the hard drive like this, and it's ready to be completely self encrypting. It's got all of the TPM module built into the drive itself. When I plug this into a system, when I first boot it up, a little thing pops up and says, Please give a password for this drive.
Once that password is generated every time this drive is accessed, or at least During boot, every time when this drive has access, you have to enter that password and do not ever lose it because if you do my friends, you will literally never get that data back. However, it's incredibly convenient and a lot of people as opposed to using things like BitLocker much prefer self encrypting drives. Alright, well that's it for drives. Now let's take a minute and let's talk about something called secure boot. People get pretty paranoid about their systems. If you think about the last 30 plus years of malware and evil things that have happened to systems, the idea of being able to protect your system with hardware and firmware is a very attractive option.
TPM, which is great as a Trusted Platform Module goes way beyond simply activating BitLocker. The current TPM standard TPM two dot o includes something called secure boot the whole idea behind secure boot is that your operating system, your your complete system. Every time it boots sort of checks the quality of everything that's in it, and the firmware, and the applications and everything. Everything must be signed. Amazing. Hmm.
Now, that does get a little bit big brother for Linux users and people like that the fact that they can't play with the boot sectors or anything without the system completely going nuts can be very, very frustrating. But like within the windows world with Windows 10, you're required to use secure boot. It's part of the operating system. Now. It's sometimes though, we might really like Big Brother. Let me give you a great example.
Your car probably has an embedded operating system and it probably has two or three. So just imagine that big navigation computer at the very front of your system. How would you like a bad guy putting something in there and causing trouble or your smartphone How about some evil person injecting some malware into it? Those are places where suddenly I become to love big brother, sorry, 1984. But the bottom line is, is that by doing stuff like this, we create what's known as a hardware Root of Trust. We have a big brother, it could be Microsoft or somebody like that, or Intel, who has an essence a root certificate that everybody signs from anybody attempting to inject anything into these embedded systems will prevent the system from booting up.
In most cases, depending on the operating system. It can literally go back to a snapshot automatically before anything was injected. And things like cars and things like smartphones, it's really really difficult to put malware onto them anymore because of a properly handled secure boot. More than that it even forces a secure supply chain. If anybody wants to have anything to add to for example, you Your Apple phone, they have to go through apple and they have to be certified, they have to be placed into the Apple store in such a way that we can count on a high degree of security. So there's times where you can love Secure Boot probably not so much on desktops, but by golly, on embedded systems, it's a real attractive option.
All right, there's one more thing I'd like to add. And that is something that I'm not even sure why come to put it in. It's not that it's unimportant, but it's kind of rare. It's called a hardware security module. In this world with all these certificates and everybody signing everything, you can put a lot of workload on your CPU, just checking certificates, checking digital signatures, going through the calculations to confirm somebody's good. So what we can do and this is fairly easily done, is we can get a hardware security module.
Hardware security modules are nothing but hardware whose only job is to calculate and check size manage to make sure everything's okay. They can store keys, they can do whatever you need to within the world of signing to make sure everything's okay. We see this a lot. For example, with web servers, I've got a web server and each one of these web servers is running HTTPS, as opposed to making each server work so hard. A lot of companies will just put a big HSM box in there that everybody plugs into, and it handles all the signing for it. Equally, I think I actually have a picture of this you have, okay, so look at this.
So this is actually a card that we can snap into a computer. And we call this an HSM card, and it handles it all for us. Now, keep in mind, that HSM is really only going to be used in places where there's a lot of signing going on your regular desktop, your regular Android smartphone, they can handle what they need internally. We're talking about server type situations where there's a lot of people coming on board.