12th Generation Intel® Core™ Processors Datasheet, Volume 1 of 2
A newer version of this document is available. Customers should click here to go to the newest version.
Intel® Multi-Key Total Memory Encryption
This technology encrypts the platform’s entire memory with multiple encryption keys. TME, when enabled via BIOS configuration, ensures that all memory accessed from the Intel processor is encrypted.
TME encrypts memory accesses using the AES XTS algorithm with 128-bit keys. The global encryption key used for memory encryption is generated using a hardened random number generator in the processor and is not exposed to software.
Software (OS/VMM) manages the use of keys and can use each of the available keys for encrypting any page of the memory. Thus, Intel® Multi-Key Total Memory Encryption (Intel® MKTME) allows page granular encryption of memory. By default MKTME uses the TME encryption key unless explicitly specified by software.
Data in-memory and on the external memory buses is encrypted and exists in plain text only inside the processor. This allows existing software to operate without any modification while protecting memory using TME. TME does not protect memory from modifications.
TME allows the BIOS to specify a physical address range to remain unencrypted. Software running on a TME enabled system has full visibility into all portions of memory that are configured to be unencrypted by reading a configuration register in the processor.
More information on Intel® MKTME can be found at: