12th Generation Intel® Core™ Processors
Datasheet, Volume 1 of 2
A newer version of this document is available. Customers should click here to go to the newest version.
Intel® Total Memory Encryption - Multi-Key
This technology encrypts the platform's entire memory with multiple encryption keys. Intel® Total Memory Encryption (Intel® TME), when enabled via BIOS configuration, ensures that all memory accessed from the Intel processor is encrypted.
Intel TME encrypts memory accesses using the AES XTS algorithm with 128-bit keys. The global encryption key used for memory encryption is generated using a hardened random number generator in the processor and is not exposed to software.
Software (OS/VMM) manages the use of keys and can use each of the available keys for encrypting any page of the memory. Thus, Intel® Total Memory Encryption - Multi-key (Intel® TME-MK) allows page granular encryption of memory. By default Intel TME-MK uses the Intel TME encryption key unless explicitly specified by software.
Data in-memory and on the external memory buses is encrypted and exists in plain text only inside the processor. This allows existing software to operate without any modification while protecting memory using Intel TME. Intel TME does not protect memory from modifications.
Intel TME allows the BIOS to specify a physical address range to remain unencrypted. Software running on Intel TME enabled system has full visibility into all portions of memory that are configured to be unencrypted by reading a configuration register in the processor.
- Memory access to nonvolatile memory (Intel® Optane™) is encrypted as well.
More information on Intel TME-MK can be found at:
- A cold boot is required when enable/ disable Intel TME feature on this platform.