TPM and HSM Hardware Encryption Devices

Both a Trusted Platform Module (TPM) and a hardware security module (HSM) can be used for hardware encryption and both are mentioned
specifically in the objectives for the SY0-301 Security+ exam.  With this in mind, it’s important to know what these devices are and how they differ.

A Trusted Platform Module (TPM) is a hardware chip on the computer’s motherboard that stores cryptographic keys used for encryption. Many
laptop computers include a TPM, but if the system doesn’t include it, it is not feasible to add one. Once enabled, the Trusted Platform Module provides full disk encryption capabilities. It keeps hard drives locked, or sealed, until the system completes a system verification or authentication process.

The TPM includes a unique RSA key burned into it, which is used for asymmetric encryption. Additionally, it can generate, store, and
protect other keys used in the encryption and decryption process.

A hardware security module (HSM) is a security device you can add to a system to manage, generate, and securely store cryptographic keys.
High performance HSMs are external devices connected to a network using TCP/IP. Smaller HSMs come as expansion cards you install within a server, or as devices you plug into computer ports.

One of the noteworthy differences between the two is that HSMs are removable or external devices. In comparison, a TPM is a chip
embedded into the motherboard. You can easily add an HSM to a system or a network, but if a system didn’t ship with a TPM, it’s not feasible to add one later. Both provide secure encryption capabilities by storing and using RSA keys.

The following table outlines these key characteristics.

Comparing TPM and HSM

Security+ Practice Test Question

As an example, the following question from the CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide tests your knowledge between the two.


Your organization recently  purchased several new laptop computers for employees. You’re asked to encrypt  the laptop’s hard drives without purchasing any additional hardware. What would  you use?



C. VM  escape



Answer. A. A Trusted Platform Module (TPM) is included in many new laptops, provides a mechanism for vendors to perform hard drive encryption, and does not require purchasing additional hardware.

An HSM is a removable hardware device and is not included with laptops, so it requires an additional purchase.

A VM escape attack runs on a virtual system, and if successful, it allows the attacker to control the physical host server and all other virtual servers on the physical server.

A network-based Data Loss Protection (DLP) system can examine and analyze network traffic and detect if confidential company data is