3.5 Given a scenario, install and configure motherboards, central processing units (CPUs), and add-on cards.
📘CompTIA A+ Core 1 (220-1201)
Encryption is the process of protecting data so that only authorized systems or users can access it. In modern IT environments, encryption is often handled by hardware-based security components to improve security and reduce software attacks.
For the A+ exam, you must understand:
- What TPM and HSM are
- How they work
- Where they are used
- Their differences
- How they relate to motherboard installation and configuration
1. Trusted Platform Module (TPM)
What is TPM?
A Trusted Platform Module (TPM) is a security chip that is either:
- Built into the motherboard, or
- Added as a dedicated TPM module
Its main job is to store encryption keys securely and ensure that the system has not been tampered with during startup.
Where is TPM located?
- Integrated directly on modern motherboards, or
- Installed as a small module connected to a TPM header on the motherboard
Most modern systems use TPM 2.0, which is the current exam-relevant version.
What does TPM do?
TPM performs the following security functions:
- Stores encryption keys
- Supports full-disk encryption
- Verifies system integrity during boot
- Protects credentials such as passwords and certificates
- Prevents unauthorized system changes
TPM and Encryption
TPM is commonly used for:
- BitLocker (Windows full-disk encryption)
- Secure storage of encryption keys
- Protecting login credentials
The encryption keys are never exposed to the operating system, which makes them harder to steal.
TPM and Secure Boot
During system startup:
- TPM checks the boot process
- It verifies that firmware, bootloader, and OS have not been altered
- If changes are detected, the system may refuse to boot or require recovery
This protects against:
- Boot-level malware
- Unauthorized firmware changes
TPM Versions (Exam Tip)
- TPM 1.2 – Older, limited encryption support
- TPM 2.0 – Modern standard, required by newer operating systems
For the exam, remember:
✅ TPM 2.0 is the current standard
TPM Configuration
TPM is enabled or configured in:
- BIOS/UEFI settings
Common TPM settings include:
- Enable or disable TPM
- Clear TPM (removes stored keys)
- Set TPM to firmware or discrete mode
TPM Use in IT Environments
TPM is widely used in:
- Business desktops and laptops
- Enterprise workstations
- Systems requiring disk encryption and secure authentication
Key Exam Points for TPM
- Hardware-based encryption support
- Integrated with motherboard
- Used with BitLocker
- Stores encryption keys securely
- Enabled in BIOS/UEFI
- TPM 2.0 is preferred
2. Hardware Security Module (HSM)
What is an HSM?
A Hardware Security Module (HSM) is a dedicated security device designed to:
- Generate
- Store
- Manage
- Protect encryption keys
HSMs provide very high security and are usually used in enterprise or data-center environments.
Where is an HSM used?
HSMs are not usually built into personal computers. They are found in:
- Servers
- Data centers
- Enterprise security systems
They may exist as:
- Network-attached devices
- PCIe add-on cards
- External appliances
What does an HSM do?
An HSM performs advanced encryption tasks such as:
- Key generation
- Digital signing
- Encryption and decryption
- Certificate management
- Secure authentication processing
All cryptographic operations happen inside the HSM, keeping keys isolated from the operating system.
HSM and Encryption
HSMs are commonly used for:
- Public Key Infrastructure (PKI)
- Certificate Authorities (CA)
- Database encryption
- Secure communications
- High-security authentication systems
HSM Security Features
HSMs provide:
- Physical tamper resistance
- Secure key storage
- Access control
- High-performance cryptographic processing
If an HSM detects tampering, it may:
- Erase stored keys
- Shut down automatically
HSM Use in IT Environments
HSMs are used when:
- Very high security is required
- Large numbers of encryption keys must be managed
- Compliance standards must be met
Typical environments include:
- Enterprise servers
- Cloud infrastructure
- Secure transaction systems
Key Exam Points for HSM
- Dedicated encryption hardware
- Used mainly in enterprise environments
- Manages encryption keys securely
- Can be a network device or add-on card
- Higher security than TPM
- Not commonly used in personal PCs
3. TPM vs HSM (Exam Comparison)
| Feature | TPM | HSM |
|---|---|---|
| Location | Built into motherboard | External or add-on device |
| Primary Use | Device security | Enterprise encryption |
| Key Storage | Local system | Centralized |
| Common Usage | BitLocker, Secure Boot | PKI, certificates |
| Cost | Low | High |
| Exam Focus | Very important | Conceptual understanding |
4. How This Relates to Domain 3.5
Domain 3.5 focuses on installing and configuring hardware. For encryption:
- TPM is configured through BIOS/UEFI
- TPM may be a motherboard component
- HSM may be an add-on card or external device
You are expected to:
- Recognize encryption hardware
- Know when to use TPM vs HSM
- Understand their purpose and role
5. Exam Tips (Must Remember)
- TPM = motherboard-based security chip
- TPM is used with BitLocker
- TPM must be enabled in BIOS/UEFI
- TPM 2.0 is the current standard
- HSM = enterprise-level encryption hardware
- HSM offers stronger, centralized security
- TPM is common in PCs; HSM is common in servers
