Is TPM 2.0 supported?

[veglasagna]

Is it possible to run TrueNAS Core or Scale with a motherboard that has TPM 2.0?

 

[jgreco]

Of course it is. But TPM isn't used for anything.

 

[JohnPCooper]

Of course it is. But TPM isn't used for anything.

I would like to see it able to be used for things. As it enhances the security of the TrueNAS Core and TrueNAS Scale product lines. By helping to ensure the the keys for SED drives for instance are protected better by being held in TPMs.

I have voted on these feature requests.

[NAS-114463] - iXsystems TrueNAS Jira

ixsystems.atlassian.net

[NAS-111251] - iXsystems TrueNAS Jira

ixsystems.atlassian.net

 

[JohnPCooper]

I would like to see it able to be used for things. As it enhances the security of the TrueNAS Core and TrueNAS Scale product lines. By helping to ensure the the keys for SED drives for instance are protected better by being held in TPMs.

I have voted on these feature requests.

[NAS-114463] - iXsystems TrueNAS Jira

ixsystems.atlassian.net

[NAS-111251] - iXsystems TrueNAS Jira

ixsystems.atlassian.net

Not to mention encrypted datasets and/or pools with keys by default used from TPM, before pass phrase or a generated recovery key.

 

[jgreco]

I would like to see it able to be used for things. As it enhances the security of the TrueNAS Core and TrueNAS Scale product lines. By helping to ensure the the keys for SED drives for instance are protected better by being held in TPMs.

That will be a joyful thing to explain to users when their disks get separated from the server and the pool isn't mountable on the new replacement server.

 

[NickF]

I have to agree with jgreco here. That would cause a heck of a lot more trouble than it's worth. What attack vector exists that you're trying to prevent? Which scenario is more likely?

• A robber enters your datacenter. He dismantles your TrueNAS server and replaces the motherboard with an identical version, but backdoored with the secret ability to transmit keys for your SED drives to China?
• A robber enters your datacenter. He steals your TrueNAS server.

As a general statement, TPM being integrated in mobile devices makes sense. If someone stole your laptop, before TPM existed, they could pop your hard drive into another computer and dump it's contents without any sort of password. BitLocker + TPM solves that problem. In a server environment with a TrueNAS in a datacenter, with sometimes hundreds of disks, the risk of such an attack vector is infinitesimally smaller.