A Trusted Platform Module (TPM) is a dedicated, isolated microcontroller conforming to the ISO/IEC 11889 standard that generates, stores, and limits the use of cryptographic keys. It performs core security functions—including platform integrity measurement, remote attestation, and sealed key storage—within a tamper-resistant hardware environment, ensuring that secrets are never exposed to the host operating system, memory, or disk.
Glossary
Trusted Platform Module (TPM)

What is Trusted Platform Module (TPM)?
A Trusted Platform Module (TPM) is an international standard for a dedicated microcontroller designed to secure hardware through integrated cryptographic keys, providing a hardware-based root of trust for platform integrity and attestation.
During a measured boot, the TPM hashes the firmware, bootloader, and OS kernel, storing these integrity measurements in Platform Configuration Registers (PCRs). This enables remote attestation, where the TPM cryptographically signs a quote of these PCR values to prove to a third party that the system booted into a known, trusted software state, forming the hardware foundation for zero-trust architectures and cryptographic content attestation workflows.
Core Capabilities of a TPM
A Trusted Platform Module is a dedicated microcontroller that provides hardware-based, security-related functions. It is the bedrock for platform integrity, enabling secure key generation, cryptographic operations, and verifiable attestation of a system's state.
Cryptographic Key Generation & Storage
The TPM generates and stores cryptographic keys in hardware, isolated from the operating system and applications. A critical feature is the Endorsement Key (EK) , a unique, burned-in RSA or ECC key pair that serves as the device's immutable identity. The Storage Root Key (SRK) is generated when a user takes ownership, forming the root of a key hierarchy. All private keys are wrapped and stored within the TPM's shielded location, making them inaccessible to software-based attacks. This hardware isolation ensures that even if the main OS is compromised, the keys remain secure.
Platform Integrity & Measured Boot
The TPM enables measured boot, a process that creates a tamper-proof audit log of the system's startup sequence. Before each component (BIOS, bootloader, OS kernel) is executed, its cryptographic hash is calculated and stored in a Platform Configuration Register (PCR) inside the TPM. This creates a chain of trust where each stage measures the next. The resulting PCR values can be compared against known-good values to detect the presence of rootkits or unauthorized modifications, providing a strong assertion of platform integrity.
Remote Attestation
Remote attestation allows a system to prove its current software state to a remote party. The TPM signs a set of PCR values with a private Attestation Identity Key (AIK) , creating a cryptographic quote. This quote proves that the PCR values are authentic and were generated by a specific TPM. A remote verifier can then compare the signed PCR values against a trusted baseline to decide whether the platform is in a trustworthy state before granting it access to a network or releasing sensitive data.
Sealing and Binding Data
The TPM can encrypt data in a way that it can only be decrypted on the same machine and, optionally, only when the system is in a specific state. Binding encrypts data using a TPM's public key, ensuring it can only be decrypted by that specific TPM. Sealing goes further by binding the decryption to a specific set of PCR values. For example, a disk encryption key can be sealed to the PCRs representing a clean boot, ensuring it cannot be decrypted if the system is compromised by a bootkit.
Hardware-Entropy Random Number Generation
A TPM contains a true random number generator (TRNG) that sources entropy from physical hardware noise, such as thermal noise or clock jitter. This is a critical capability for generating non-deterministic, unpredictable cryptographic keys and nonces. Unlike software-based pseudo-random number generators (PRNGs), the TPM's TRNG is not susceptible to algorithmic prediction or seeding failures, providing a fundamental source of high-quality randomness for all cryptographic operations performed on the platform.
Protected Cryptographic Operations
The TPM performs cryptographic operations like signing, hashing, and encryption within its own tamper-resistant processor. This means the private key material never leaves the chip in plaintext. The host system sends a command and data to the TPM, the operation is executed internally, and only the result is returned. This protects against memory-scraping malware and cold-boot attacks that target keys stored in system RAM, making the TPM a secure execution environment for sensitive cryptographic tasks.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about the hardware root of trust that underpins modern cryptographic attestation and platform integrity.
A Trusted Platform Module (TPM) is an international standard (ISO/IEC 11889) for a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. It functions as a hardware root of trust, performing operations such as key generation, key storage, and platform authentication in a tamper-resistant environment isolated from the main CPU, operating system, and applications. The TPM contains a unique, burned-in Endorsement Key (EK) during manufacturing, which establishes its identity. It generates and stores other key types, including Storage Root Keys (SRK) and Attestation Identity Keys (AIK), entirely within the chip. Because the private key material never leaves the TPM in plaintext, even a compromised operating system cannot extract the keys, making it a foundational component for secure boot, device identity, and cryptographic content attestation.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
A Trusted Platform Module (TPM) operates within a broader ecosystem of hardware security and cryptographic attestation standards. These related concepts define how TPMs interact with other secure elements and protocols to establish a complete chain of trust.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us