TPM 1.2 vs 2.0: Differences & How to Upgrade
7 min. read
Updated on
Share this article
Improve this guide
Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more
Key notes
- TPM 1.2 vs 2.0, which one is more secure? In this guide, we’re going to compare the two and tell you which is a better choice.
- TPM is a physical chip on your motherboard, but it can also be placed inside your CPU.
- Its main purpose is to protect your passwords, encryption keys, and other sensitive data.
- Want to know more about TPM 1.2 and 2.0 security? This guide will answer this and all other questions on the given topic.
As you probably know, Windows 11 was recently announced, and it brings a wide array of new features as well as some specific requirements.
Regarding Windows 11 hardware requirements, the new change everybody is talking about is the TPM chip, and unless you have it, you won’t be able to upgrade to Windows 11 due to TPM 2.0 errors.
There are two versions of TPM, and in this guide, we’re going to compare TPM 1.2 vs 2.0 and see which one is better.
TPM 1.2 vs 2.0, which one should I use?
A quick history of TPM
TPM was first introduced by Trusted Computing Group in 2009, and since then it has been used in computers, ATM devices, and set-top boxes.
As for the TPM 1.2, it was released in 2005, and it has received the last revision in 2011. On the other hand, TPM 2.0 was released initially in 2014, while the latest revision being from 2019.
The two versions have various differences, but before we start comparing them, let’s see what TPM does and how it protects your PC.
What is TPM?
TPM stands for Trusted Platform Module, and it’s a dedicated microcontroller that provides encryption features and an additional layer of security to your PC.
TPM is usually a chip on your motherboard, but it can be also integrated inside of the CPU, or it can run in firmware separately. Some motherboards have TPM connectors, so you can add a TPM chip on your own.
There’s also a completely virtual TPM that runs on a software level, but many experts believe that it’s not as safe as its physical counterpart.
How does TPM work?
TPM is used mostly for encryption, and it will generate and store parts of the encryption keys. This means that if you want to unlock an encrypted drive, you’ll need to use the same TPM chip that generated the encryption key.
Since the encryption key isn’t stored on your drive, it’s harder for hackers to decrypt your data since they need access to the TPM chip as well.
TPM chips also have tamper protection, and in case the chip or motherboard is tampered with by a hacker, the TPM should still be able to keep your data locked.
In addition to encryption, the TPM can protect your PC from bootloader malware by verifying the boot loader. In case your bootloader has been tempered with, TPM will prevent your system from booting.
TPM also has a Quarantine Mode that you can use to fix bootloader issues. Lastly, TPM stores all your passwords inside it, which makes them secure from hackers.
As for other uses, TPM is used for digital rights management, protection of software licenses, and in some cases, as prevention from cheating in video games.
TPM 1.2 vs 2.0, what are the differences?
TPM 2.0 is an improvement over TPM 1.2, and while they are similar, you should know that TPM 2.0 isn’t compatible with TPM 1.2.
TPM 1.2 has a one-size-fits-all specification, while the 2.0 version has platform-specific specifications that define which parts of the library are mandatory or optional.
As for algorithms on TPM 1.2, SHA-1 and RSA are required, while the AES is optional. With TPM 2.0, SHA-1 and SHA-256 are required for hashes.
RSA and ECC with Barreto-Naehrig 256-bit curve and a NIST P-256 curve are used for public-key cryptography and asymmetric digital signature generation and verification in TPM 2.0.
As for symmetric digital signature generation, the TPM 2.0 is using the HMAC, and 128-bit AES for symmetric-key algorithms.
The difference between algorithms is noticeable, which makes TPM 2.0 a far secure solution.
Regarding the crypto primitives, the TPM 1.2 and 2.0 offer the following:
- Random number generation
- Public-key cryptographic algorithm
- Mask generation function
- Digital signature generation and verification
- Symmetric-key algorithms
Despite sharing the same features, TPM 2.0 uses Direct Anonymous Attestation using the Barreto-Naehrig 256-bit curve, so it’s safer to use.
In terms of hierarchy, TPM 1.2 has just the storage hierarchy, while TPM 2.0 has a platform, storage, and endorsement hierarchy.
Regarding the root keys, only SRK RSA-2048 is supported with TPM 1.2, while the TPM 2.0 supports multiple keys and algorithms per hierarchy.
As for authorization, TPM 1.2 uses HMAC, PCR, locality, and physical presence. TPM 2.0 offers the same authorization features as well as password protection.
In terms of NVRAM, TPM 1.2 supports only unstructured data, while TPM 2.0 supports unstructured data, Counter, Bitmap, Extend, PIN pass and fail.
As you can see, TPM 2.0 offers a wide array of improvements, and it’s a more secure choice when it comes to data protection and encryption.
Here’s a quick overview of the algorithms that TPM 1.2 and TPM 2.0 support.
| Algorithm type: | Name: | TPM 1.2 | TPM 2.0 |
|---|---|---|---|
| Asymmetric | RSA 1024 | Yes | Optional |
| RSA 2048 | Yes | Yes | |
| ECC P256 | No | Yes | |
| ECC BN256 | No | Yes | |
| Symmetric | AES 128 | Optional | Yes |
| AES 256 | Optional | Optional | |
| Hash | SHA-1 | Yes | Yes |
| SHA-2 256 | No | Yes | |
| HMAC | SHA-1 | Yes | Yes |
| SHA-2 256 | No | Yes |
Why is TPM 2.0 better than TPM 1.2?
TPM 1.2 only uses the SHA-1 hashing algorithm, which is a problem since SHA-1 isn’t secure, and many agencies started moving to SHA-256 in 2014.
Microsoft and Google removed the support for SHA-1 based signing of certificates in 2017. It’s also worth mentioning that TPM 2.0 supports newer algorithms that will improve drive signing and key generation performance.
TPM 2.0 also offers a more consistent experience, and the lockout policy is configured by Windows. With TPM 1.2, the implementations vary by policy settings, which can be a security concern.
We also have to mention that certain features such as device encryption, Windows Defender System Guard, Autopilot, and SecureBIO are available only when using TPM 2.0.
Here’s a list of features that TPM 1.2 and TPM 2.0 support:
| TPM 1.2 | TPM 2.0 | |
|---|---|---|
| Measured Boot | ✅ | ✅ |
| BitLocker | ✅ | ✅ |
| Device Encryption | ❌ | ✅ |
| Windows Defender Application Control | ✅ | ✅ |
| Windows Defender System Guard | ❌ | ✅ |
| Credential Guard | ✅ | ✅ |
| Device Health Attestation | ✅ | ✅ |
| Windows Hello | ✅ | ✅ |
| UEFI Secure Boot | ✅ | ✅ |
| TPM Platform Crypto Provider Key Storage Provider | ✅ | ✅ |
| Virtual Smart Card | ✅ | ✅ |
| Certificate storage | ✅ | ✅ |
| Autopilot | ❌ | ✅ |
| SecureBIO | ❌ | ✅ |
Does Windows 11 require TPM 2.0?
When it was first announced, the Windows 11 hardware requirements stated that Windows 11 will work with TPM 1.2 and TPM 2.0, with the latter being a more secure choice.
According to the documentation, an upgrade to Windows 11 would be allowed with a TPM 1.2 chip, but not advised. However, Microsoft has updated its documentation, and currently, the TMP 2.0 stands as the requirement for Windows 11.
This leads us to believe that TPM 2.0 is the requirement for Windows 11 and that users with TMP 1.2 chips won’t be able to use Windows 11.
However, there’s a way to install Windows 11 without TPM, if you’re tech-savvy. On the bright side, it seems that some Windows 11 systems will work without TPM 2.0 chips, which is great news for many.
Is TPM intended only for business users?
Although TPM was developed initially for business users, the technology is now available on home PCs as well.
While encrypting your data isn’t essential for home users, if you want to ensure that your files are safe at all times, then encrypting your files and using TPM is a must.
Not all encryption requires TPM, but using it offers a layer of hardware security which makes it harder for hackers to access your data.
It offers tampering protection, so you can rest assured that your encrypted files will stay protected against hackers even if they try to modify your hardware.
TPM isn’t just used for file encryption, and you’re probably using it as a home user without even knowing it. If you’re using Windows Hello feature, you’re already using a TPM.
Your passwords and PINs are also stored in TPM, even for home users. Lastly, TPM provides you with a Secure Boot feature that stops bootloaders from infecting your PC.
So even if you’re not a business user and you don’t encrypt your data, you still benefit from TPM as a home user.
Conclusion
TPM 1.2 and TPM 2.0 have their benefits, and with recently announced Windows 11 requirements, the TPM chips will become a must-have, so if you don’t own a TPM chip, you might want to consider buying a TPM chip.
If you want to learn more, we also have a guide on TPM in Windows 11, so don’t miss it.
So which version of the TPM is better? The answer is pretty simple, the TPM 2.0 is newer, more secure, and it offers more security features, it works better with Windows, and we can safely say that TPM 2.0 is a better choice than TPM 1.2.
