My goal is to eventually implement TPM in my linux machine, and be able to have a spot on the hard disk that is encrypted.

So far I am working with TPM on windows, it was more straight forward to install so i am trying to figure it out on this platform first.

I understand key wrapping, sealing/unsealing, what i don't understand is when i initialize the TPM, what does that do for me? i know bit locker will work with TPM and give you more functionality, but what does it do when i initialize it?

so far my thought is that TPM does nothing, and you have to write programs that communicate with it to do the encryption you want. is this correct? or when I initialize the TPM, is there some way i can encrypt a folder with files in it right away?

any random input is appreciated.

Trusted Computing has been discussed here in LQ-Sec a few times in the past at length. My first suggestion would be to search for the term in this forum as the existing posts will provide you with a lot of information, especially in regards to what trusted computing is and isn't. Wikipedia also has a pretty good article on the subject, last time I checked.

This sounds more like file/folder encryption where the drive volume is encrypted than trusted computing. Perhaps you could clarify what you are trying to do?

Thanks for the response Noway2,

I have searched and have been reading articles online for the past week, I still just don't get it, which is why i resorted to my post.

Basically, I enable/initiate TPM. what did i just do? nothing changes on the computer, I can still pull the hard drive out and look at files from a different PC. I don't understand what it is supposed to do, and am assuming it only works in conjunction with other software that has access to it?

The windows help just tells you how to initiate it, how to change ownership password, et cetera. the same with Wiki and everything else online, it's so vague and there are no real world examples, except for bitlocker. Bitlocker is useful, but now i am trying to figure out what the equivelent is in linux, I know trousers will let me manage the TPM module, but i just want to encrypt the hard drive so i cannot take files off of it.

also I read you could seal data by taking note of what hardware/software packages are on the OS, and if they change (ie someone puts a different video card in your system or malacious software) it won't let you view the files. Does TPM do this? how does it do this?

The main concept that I see behind trusted computing is that it takes code signing and encryption to a new level. In TC, the hardware contains the private key and will only execute code that has been signed with the public key, the private key is used to effectively decrypt it. On the positive side, TC could go a long way towards ensuring that only valid software is run on a system and that it hasn't been altered, say by malware for example. On the negative side, it could be used to lock out all but certain proprietary vendors, think Apple's app store for example. If this is the sort of thing you are after, I believe that some vendors have made hardware to support this function, however, it is pretty uncommon.

A much more practical situation, at least with today's standards is to encrypt your hard drive. This can be done several ways and is widely supported in Linux today. Some methods such as dm-crypt and other non free tools such as true crypt. Of course this doesn't protect or prevent the alteration of software.

There are lots of good encryption alternatives, bitlocker (windows) can be used without TPM, and does an awesome job if someone steals your hard drive. TrueCrypt is similar for Linux. I think encrypted hard drives are probably the best, since there is little software interference; But I like the idea of sealing. I have read all of the Trusted computing propoganda, and agree that it could eventually be scary for the consumer; however i have a motherboard with TPM built in at work and am trying to figure out what all i can do with it. All of the write ups online just tell you how to install it, not really any examples.