Help Center/ Elastic Cloud Server/ User Guide/ Security/ Configuring ECS QingTian TPM
Updated on 2025-08-28 GMT+08:00

Configuring ECS QingTian TPM

Scenarios

QingTian TPM is a virtual device that complies with the TPM 2.0 specifications. QingTian TPM can be used as the root of trust of an ECS to build a trust chain that covers system boot and user-specified applications and implement remote attestation. In addition, QingTian TPM can securely store tenant identity authentication data, such as passwords, certificates, and encryption keys. QingTian TPM can generate keys and use them for cryptographic functions, such as hashing, signing, encryption, and decryption.

QingTian TPM provides measured boot. During the process, the bootloader and OS create a cryptographic hash for each boot binary file and combine them with the previous values in the Platform Configuration Registers (PCRs) of QingTian TPM. With measured boot, you can obtain signed PCR values from QingTian TPM and use them to prove the integrity of the boot software of an instance to a remote entity. This is called remote attestation.

With QingTian TPM, keys and secrets can be tagged with specific PCR values so that they can never be accessed if the PCR values and instance integrity change. This special form of conditional access is called sealing and unsealing. OS technologies, such as BitLocker, can use QingTian TPM to seal drive decryption keys so that drives can only be decrypted when the OS is correctly booted and in a known good state.

Constraints

  • If you want to change the specifications of an ECS booted using an image with QingTian TPM enabled, the target specifications must also support QingTian TPM.
  • The boot mode of the image with QingTian TPM enabled must be UEFI.
  • BitLocker volumes encrypted using QingTian TPM keys can only be used on the original instance.
  • The QingTian TPM status of an ECS is not displayed in the ECS list.
  • The QingTian TPM status is not included in image snapshots.

Billing Rules

There is no additional cost for using QingTian TPM. You only pay for the ECS resources you use.

Configuring QingTian TPM on an ECS

  1. Log in to the management console.
  2. Click in the upper left corner and select a region and project.
  3. Click . Under Compute, choose Elastic Cloud Server.
  4. Click Buy ECS.
  5. Set Trusted Settings based on service requirements.
    • To enable QingTian TPM, select TPM.
    • To disable QingTian TPM, deselect TPM.

    For details about how to configure basic, network, and advanced settings when purchasing an ECS, see Purchasing an ECS in Custom Config Mode.

  6. Click OK.