What is a Trusted Platform Module (TPM)?

How can I protect my laptops and computers?
Personal devices, such as laptops and computers, have transformed the way society operates. Whether accessing banking or healthcare applications, working remotely or simply visiting social media and other entertainment sites, it is essential that security measurements are in place to ensure you do not fall victim to a malicious attack.

Hackers can quickly weaponize these devices to cause significant financial and reputational damage through ransomware and other sophisticated techniques. This is not limited to remote attacks either – if a device is physically stolen, owners need to trust that the data and secrets held on the device will be sealed off from unauthorized users. From this threat landscape emerged the Trusted Platform Module (TPM).

What is the TPM?
Ensuring trusted computing for over twenty years, the TPM is a secure crypto-processor which is attached to a device to establish secure operations.

Using a TPM helps to protect a user’s identity and sensitive data by storing the relevant keys vital for encryption, decryption and authentication. Doing so provides a first line of defense against potentially critical malware and firmware attacks, as it ensures all data remains encrypted even if an attack takes place.

When would I need to use the TPM?
When needing to provide strong hardware-based attestation and authentication capabilities. Utilizing a TPM enables manufacturers and users to establish the essential trusted principles of verification, data protection, identity and attestation.

What sort of devices does the TPM protect?
Currently sitting at the heart of over 2 billion devices worldwide, the TPM can be considered a ‘silent guardian’, ensuring device security despite many people not even knowing of its existence. Initially designed to protect computers, as technology has evolved so have the use cases and applications for the TPM. From individual laptops and computers to printers and data centers, many devices will have some form of TPM integrated within it.

How does the TPM work?
By implementing a TPM chip, devices gain robust hardware-based protection rather than just software security, allowing manufacturers to encrypt disks, prevent firmware, ransomware and dictionary attacks, and so much more.

Once a device is booted up, the TPM will review its health and its environment, any only allow it to operate so long as it’s found to be in a trustworthy state. Residing within a device as a dedicated processor, the TPM contains an Endorsement Key (EK), which is impervious to software-based access, and the Attestation Identity Key (AIK), which protects the device against illicit modification by hashing sections of firmware and software before they are executed. These hashes are provided to the server for validation once the system tries to connect to the network. In the event of a mismatch, the boot process will not occur and there will be no way to access and exploit any of the data stored within the device.

The solution offers enhanced security measures by signing and verifying data that is provided to a device to establish its identity, whilst providing hardened storage for software and platform keys to protect any algorithms being computed. Even in the event of a successful attack, unauthorized entities should still be unable to access the information stored within the RoT. Provisioning a TPM allows the responsibility of initializing and maintaining the solution to the operating system. This means heightened security can be established and automated, without the need for continuous system evaluation by a security professional.

Since the development of the TPM 2.0, the chip now includes algorithm interchangeability, giving the TPM the power to exchange algorithms for enhanced cryptographic agility. TPM 2.0 overcomes the limitations of the original specification, offering improved basic verification signatures while enabling keys to be handled for both limited and conditional use. This results in greater security functionalities, enhanced performance and faster operations, with the chip capable for use in devices where resources are limited.

Where is the TPM being used today?
The TPM 2.0 is an essential tool in the fight against cybersecurity, with major organizations mandating its presence within operating systems such as Windows 11. Through the TPM 2.0, important features such as Windows Hello for identity protection and BitLocker for data protection can be utilized, and therefore making it an indispensable component of a device’s security infrastructure.

Where can I find more information on a TPM?

Interested in an overview of the solutions for other devices? See What is a Root of Trust?

Interested in other solutions that secure smaller devices? See MARS or DICE.

Interested in solutions for virtual environments? See vTPM.


Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.

Join Now

Trusted Computing

Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.

Read more


Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.

Read More