anavem.
Back to Glossary
T

TPM (Trusted Platform Module)

TPM is a hardware-based security component that securely stores cryptographic keys and performs security functions to protect system integrity.

What is a TPM?

Trusted Platform Module (TPM) is a dedicated security chip (or firmware-based equivalent) integrated into a computer's motherboard or CPU. It provides hardware-backed cryptographic operations, such as key generation, storage, and integrity verification. TPM operates independently from the operating system, making it resistant to many software-based attacks.

Why TPM matters

TPM is critical because it:

  • Protects cryptographic keys from extraction
  • Verifies system integrity during boot
  • Enables strong disk encryption
  • Supports secure authentication mechanisms
  • Forms a foundation for modern endpoint security

Many modern security features rely directly on TPM.

What TPM is used for

Common TPM use cases include:

  • Full disk encryption (e.g., BitLocker)
  • Secure Boot and measured boot
  • Credential protection (keys, certificates)
  • Device identity and attestation
  • Platform integrity verification

TPM ensures trust at the hardware level.

TPM versions

The most common versions are:

  • TPM 1.2 - legacy, limited algorithms
  • TPM 2.0 - current standard with broader crypto support

Modern operating systems and security features typically require TPM 2.0.

TPM types

TPM implementations include:

  • Discrete TPM - dedicated physical chip
  • Firmware TPM (fTPM) - implemented in firmware
  • Integrated TPM - built into the CPU

All types aim to provide similar security guarantees, though physical chips are often considered the strongest.

TPM and system boot security

During startup, TPM can:

  • Measure firmware, bootloader, and OS components
  • Store integrity measurements securely
  • Detect unauthorized changes
  • Prevent access to protected keys if tampering is detected

This process underpins Secure Boot and trusted startup chains.

TPM and encryption

TPM is widely used to:

  • Store disk encryption keys securely
  • Release keys only if system integrity checks pass
  • Protect data even if storage is removed from the device

This significantly reduces the risk of offline data theft.

TPM in enterprise environments

Organizations use TPM to:

  • Enforce device trust and compliance
  • Enable conditional access based on device health
  • Support Zero Trust architectures
  • Meet regulatory and security requirements
  • Protect endpoints at scale

TPM is often mandatory in modern enterprise deployments.

Security considerations

While TPM is highly secure:

  • Misconfigured firmware can weaken protections
  • Physical attacks are still possible with sufficient resources
  • TPM must be properly initialized and managed
  • Firmware and BIOS updates must be handled carefully

TPM security depends on correct platform configuration.

Common misconceptions

  • "TPM is software-only"
  • "TPM encrypts all data automatically"
  • "TPM guarantees complete system security"
  • "TPM is only needed for Windows 11"