Should i disable TPM for more privacy?

should i disable TPM for more privacy?

I mean wont it expose any of my information? Or i am just being paranoid? Anyone here had experience with that?

It would help if you add more context to your post. This is a bit low effort. But the answer is no.

No, the TPM is just a security chip that protects encryption keys and helps verify your firmware. It only enhances your security and privacy so you should leave it on.

I feel there is a risk that either you or people finding this thread in the future are asking this question because of dubious claims made by a certain YouTuber, so i’ll leave this here:

TPM is there to increase security.
What information do you think TPM is revealing?

Not the OP and don’t want to assume where they are getting this type of info but I see people spreading some bad rep about TPM with some frequency: Anti-TPM/DRM PSA from 2005

Yeah. Thats why i asked this

You shouldn’t disable your TPM but you shouldn’t use them to store your encryption keys either. TPMs aren’t as secure as many people think they are. If you’re curious, I could write a more detailed explanation, but honestly, not everyone is interested in that kind of content. If you are, let me know. The bottom line is, TPMs (regardless of whether they are dTPMs or fTPMs) are flawed – and they’ve been broken before - and yes, that includes dedicated TPMs. You specifically shouldn’t use them to hold your LUKS keys because TPM backed encryption is actually badly implemented on Linux.

In fact, yes. I am interested.

Which better? As I know my laptop uses fTPM

What the point keeping it in this case?

A TPM does several things like attestation, true random number generation but its primary purpose is to keep sensitive information safe, such as encryption keys or passkeys. The most common types of TPMs: discrete TPMs, which are dedicated chips on your motherboard, and firmware TPMs (fTPMs), which are essentially emulated TPMs using firmware in a trusted CPU environment.

The biggest difference between dTPMs and fTPMs is that dTPMs have physical safeguards to detect and prevent tampering. For example, discrete TPMs use special covering and sensors to detect such attempts. fTPMs lack such protection, which allowed bypasses of the fTPM’s anti-hammering security in the faulTPM exploit. On the other hand, dTPMs need to communicate with the CPU, and that communication can be tapped and manipulated. This is how Bitlocker keys were compromised when setups lacked a PIN – because without a PIN, the TPM could release the key as long as it believed the system wasn’t tampered. However, this vulnerability can be prevented by protecting the TPM with a PIN or enabling bus encryption, a feature Bitlocker doesn’t utilize.

Several manufacturers produce dTPMs, and all of them have their own methods. It’s difficult to determine if their implementation is secure or even if they’ve been backdoored – what many people don’t realize is that even dTPMs have been compromised in the past.

I would say with a PIN, dTPMs are more secure. Without a PIN (which is not really secure in the first place), fTPMs.

SecureBoot, Passkeys.

True and this is the impetus behind Microsoft’s Pluton chip. Manufacturers can use it and have a good TPM implementation, and it is integrated into the SoC so it fixes the issue other dTPMs have with snooping over the communication bus.

The Copilot+ Windows PCs have the Pluton chip so those are probably worth checking out.

It’s refreshing to see someone who understands this. As much as I dislike Microsoft’s policies, they are moving in the right direction with Pluton – at least for the most part. Apparently, with the next iteration of Bitlocker, the entire encryption/decryption process will happen on a dedicated chip, eliminating the need for keys in RAM and improving performance as well. It’ll likely work like FileVault on M1+ processors or Android/Graphene with Titan. I’m not sure if this will require newer CPUs compatible with Pluton, or if Pluton compatible CPUs already have these capabilities – perhaps only requiring software support.