TPM (Trusted Platform Module)
A dedicated security chip on the motherboard that securely stores cryptographic keys, verifies system integrity during boot, and serves as a hardware root of trust for BitLocker, Windows Hello, and other security features.
The Trusted Platform Module (TPM) is a dedicated hardware security chip integrated into the motherboard of PCs, laptops, and servers. It provides a secure, tamper-resistant environment for cryptographic operations and key storage.
What does a TPM do?
Secure key storage: TPM securely stores cryptographic keys—inside the chip itself, not on the hard drive. These keys cannot be extracted without physical access to the chip.
System integrity verification (Measured Boot): During the boot process, Platform Configuration Registers (PCRs) in the TPM measure every step of the boot process:
UEFI firmware → Bootloader → Operating system kernel → Drivers
↓ ↓ ↓ ↓
PCR[0] PCR[4] PCR[8] PCR[10]If a component is tampered with, the PCR value changes—and the system detects the compromise.
Remote Attestation: The TPM can cryptographically prove to another system (e.g., a corporate server) that the local system is intact and has not been tampered with.
Random Number Generator (RNG): Hardware-based True Random Number Generator for cryptographic applications.
TPM Versions
TPM 1.2: Older version, supports SHA-1 and RSA-1024. Still present in many legacy systems.
TPM 2.0: Current standard (since 2014). Supports SHA-256, ECC, AES, and other modern algorithms. Windows 11 minimum requirement.
fTPM (Firmware TPM): Implementation of the TPM in CPU firmware (AMD, Intel) – no separate physical chip, but same functionality.
Discrete TPM: Dedicated physical chip on the motherboard – highest security, as it is separate from the CPU.
Practical Applications
BitLocker (Windows): BitLocker uses the TPM to secure the Volume Master Key (VMK). The key is tied to the measured system configuration—hard drive in a different system → no access.
Windows Hello: Biometric data (fingerprint, facial recognition) is linked to TPM keys – credentials never leave the device.
Secure Boot: UEFI Secure Boot uses TPM-based keys to boot only signed operating systems – prevents bootkit malware.
VPN Certificates and Client Authentication: Corporate VPN certificates can be stored in the TPM—cannot be extracted or copied to USB drives.
FIDO2 / Passkeys: FIDO2 hardware authenticators (such as YubiKey) use similar principles; Windows Hello for Business integrates FIDO2 with TPM.
TPM and Enterprise Security
Why TPM is important for businesses:
- Protection against device theft: Hard drive from a stolen laptop → no data readable (BitLocker with TPM)
- Device compliance verification: Conditional Access (Zero Trust) may require TPM attestation for device trust
- Credential protection: Windows Credential Guard uses TPM for secure credential isolation
- Endpoint security: EDR solutions use TPM for tamper-proof logging
NIS2 and KRITIS: For regulated organizations, TPM-based device trust provides a verifiable hardware security anchor.
TPM Vulnerabilities
Despite its security architecture, the TPM is not infallible:
TPM Sniffing: On certain discrete TPM chips with an LPC bus, communication between the CPU and TPM can be eavesdropped on with physical access (CVE-2021-3895, similar). Firmware TPM mitigates this (since everything remains within the CPU).
Fault Injection: Sophisticated physical attacks involving voltage manipulation.
BitLocker Vulnerabilities: Under certain circumstances, BitLocker without a PIN (TPM-only) can be compromised via cold boot attacks or bus sniffing. Recommendation: TPM + pre-boot PIN for a sensitive level of protection.
TPM and Zero Trust
In modern zero-trust architectures, TPM serves as a hardware root of trust:
- Device Identity: Certificates in the TPM can prove device-specific identity
- Integrity Measurement: Remote attestation as a trust signal for conditional access
- Compliance Proof: "Only managed, intact devices are granted access to sensitive resources"
