In this post, we will demystify the Trusted Platform Module (TPM) for the RPi by exploring how this dedicated hardware vault protects your digital identity through secure key management, integrates seamlessly with OpenSSL and Nginx to harden web services, and provides robust disk encryption that remains locked even if your storage media is physically stolen.

TIP: Get a Lets Trust TPM for your RPi from  Buyzero today!

Passwords and Keys

In cryptography, passwords and keys serve distinct but related roles. A password is a human-readable secret (something you know) typically used for initial authentication. Because humans struggle to remember random data, passwords often have low entropy (easy to crack), making them vulnerable to guessing or brute-force attacks. Conversely, a cryptographic key is a high-entropy (hard to crack), machine-generated random string (something you have) used to lock and unlock mathematical functions. In secure systems, a password is often just the “trigger” that unlocks or derives a much stronger cryptographic key, allowing the system to use robust encryption without requiring the user to memorize a 256-bit string of gibberish.

The two primary methods of using these keys are symmetric and asymmetric encryption. Symmetric encryption uses a single shared secret key to both encrypt and decrypt data. It is exceptionally fast and efficient, making it the “workhorse” for processing large volumes of data. Asymmetric encryption uses a mathematically linked pair: a public key for encryption and a private key for decryption. While much slower than symmetric methods, it solves the problem of “key distribution” because you can safely share your public key with the world without compromising your private vault.

How symmetric and asymmetric keys differ

The reason for two separate keys is to solve the “Safe-in-the-Mail” problem: 

How do you send someone a secret if you don’t already have a shared password?

If you use a single key (Symmetric), you have to get that key to the other person first. If an attacker intercepts the key during the hand-off, your security is broken. Asymmetric encryption fixes this by splitting the “Locking” and “Unlocking” functions into two different keys:

• The Public Key (The Open Padlock): Think of this as an open padlock that you hand out to anyone who wants it. Others can use it to lock a box, but once that box is clicked shut, the person who locked it cannot open it again.
• The Private Key (The Only Key): This is the physical key that stays secret in your pocket. It is the only thing that can open those padlocks.

In this system, anyone in the world can lock a message for you using your “padlock,” but only you possess the “key” to see what is inside. This allows two people to communicate securely without ever having to risk sending a shared password across the internet.

Real-World Use Cases

• Symmetric Encryption (The Workhorse): This is primarily used for Full Disk Encryption (FDE) on your computer or smartphone. When you turn on your device and enter a password, the system uses a fast symmetric algorithm (like AES-256) to instantly decrypt gigabytes of data on your drive as you access them, ensuring that if the hardware is stolen, the data remains unreadable.
• Asymmetric Encryption (The Gatekeeper): This is the foundation of Digital Signatures and Secure Web Browsing (HTTPS). When you visit a bank’s website, your browser uses the bank’s public key to verify their identity and securely “handshake” a temporary secret; this allows you to establish a private connection with a stranger across the internet without ever having met them to exchange a password beforehand.

TPMs and Key Storage

In the context of encryption, a TPM (Trusted Platform Module) is a dedicated “security processor” that runs independently from the RPi and acts as both a key generator and a hardware vault. It ensures that sensitive keys are created and used in an isolated environment, far away from the operating system where malware might be watching. 

Where keys are stored

To understand why a TPM is special, we have to look at where keys live in a standard (non-TPM) system versus a TPM-hardened one:

Feature	Standard (No TPM)	With TPM 2.0
Generation	Software uses the CPU to pick random numbers.	The TPM has a physical, hardware-based random number generator.
Storage Location	Keys are stored as files on your SD card or hard drive.	Keys are stored inside the TPM chip or “wrapped” by it. **
Exposure	To use the key, the CPU must load the raw key into system RAM.	The key stays inside the TPM; the CPU sends data to the TPM for processing.

** Wrapping means a key is encrypted and stored on your disk but in a form that is only usable by the TPM

So essentially, your secrets remain locked inside a purpose-built attack resistant device.  They are never exposed to RAM or (even worse) stored to your hard disk. 

Application Support

In 2026, Linux application support for TPM 2.0 has moved from experimental tools to core system services. Below are the primary applications and tools that leverage the TPM for enhanced security.

Web Servers & Network Security

These applications use the TPM to ensure that the “Identity” of the server (the Private Key) is never exposed in plain text on the disk.

• Nginx & Apache: By using the tpm2-openssl provider (modern for OpenSSL 3.x) or the tpm2-tss-engine (legacy), Nginx can serve HTTPS traffic using a private key that stays inside the TPM.
• OpenSSL: The foundational library for almost all Linux security. The tpm2-openssl project allows standard command-line tools to generate keys, sign documents, and create CSRs directly on TPM hardware.
• StrongSwan (VPN): Protects VPN client identities by storing the private authentication keys in the TPM, preventing them from being cloned to another machine. 

Disk Encryption & System Boot 

The TPM is most commonly used here to “seal” encryption keys so the system only unlocks if it hasn’t been tampered with. 

• systemd-cryptenroll: A modern tool in the systemd suite used to “enroll” a TPM 2.0 module into a LUKS-encrypted drive. This allows for PIN encrypted boot.
• systemd-creds: Securely stores and retrieves sensitive credentials (like database passwords) used by systemd services, binding them to the TPM. 

Messaging & Identity

These tools help individuals protect their digital signatures and private communications. 

• GnuPG (GPG): Since version 2.3, GPG supports moving compatible keys into the TPM. This means your email signing or file encryption keys are hardware-protected.
• SSH: Through the tpm2-pkcs11 interface, users can store their SSH private keys in the TPM. Even if a laptop is stolen, the attacker cannot “dump” the SSH key to access remote servers.

Developer & System Tools

• tpm2-tools: The standard “Swiss Army Knife” for interacting with the TPM from the command line. It includes commands like tpm2_getrandom to generate high-quality random numbers for any application.
• Keylime: An open-source project for Remote Attestation, allowing a server to prove its health and integrity to a remote monitor using its TPM. 

Protection with caveats

In most traditional setups, your operating system’s security ultimately relies on physical security. If an attacker can physically access your SD card or hard drive contents, they can usually bypass software passwords and copy your private keys. The TPM changes this paradigm. Because the TPM is tamper-resistant, generates keys internally, and performs cryptographic operations within its own silicon, it never discloses usable secrets to the rest of the system. This effectively severs the link between having access to the files and having access to the encryption keys.

However, this security comes with a vital word of caution: when you use a TPM, the physical hardware becomes the “Single Point of Success.” Because high-security keys are “non-migratable” (meaning they cannot be copied or moved from the TPM), they are permanently locked to that specific chip. If the TPM is damaged, or the hardware is lost, your data is effectively gone. There is no “forgot password” button for a TPM-wrapped key.

More on this

If you found this overview valuable, keep an eye on our video channel. Over the coming weeks, I will be releasing a step-by-step deep dive into the most popular real-world implementations, including:

• Hardening OpenSSL: Generating your first hardware-backed key.
• Secure Web Hosting: Configuring Nginx to use TPM-resident certificates.
• Disk Encryption: Setting up PIN-protected LUKS for a tamper-resistant boot.

Look for the first video in the series dropping soon!

Where to get your TPM

If you are interested in exploring the benefits of a TPM for 2026 deployments, ensure your TPM supports the TPM 2.0 specification, as older 1.2 modules are obsolete and lack modern algorithm support. 

TIP: Get a Lets Trust TPM for your RPi from  Buyzero today!

Secure your application or deployment with us

Do you or your team want a consultation on best practices?  Our team of experts is ready to help you navigate complex security architectures, implement robust encryption standards, and ensure your deployments are resilient against both digital and physical threats. Contact our professionals at [email protected] to start securing your applications today.

Resources

• https://community.infineon.com/t5/Knowledge-Base-Articles/Enabling-amp-testing-Infineon-OPTIGA-TPM-on-Raspberry-Pi-under-Linux/ta-p/623548 
• https://buyzero.de/en/products/letstrust-hardware-tpm-trusted-platform-module?srsltid=AfmBOoqiZlCRjbGeZrpgrD7CkfP5Qasf-WpWlbrFIwcJusDVNM73dM-2 
• https://www.sstic.org/media/SSTIC2021/SSTIC-actes/protecting_ssh_authentication_with_tpm_20/SSTIC2021-Article-protecting_ssh_authentication_with_tpm_20-iooss.pdf 
• https://www.youtube.com/watch?v=jtbWnod5hoY   (Keylime)
• https://www.infineon.com/gated/infineon-optiga-tpm-rpi-quickstarter-user-guide-usermanual-en_a3d6e6e3-6da2-4321-816d-8c6bcddc55ee 
• https://trustedcomputinggroup.org/wp-content/uploads/TCG-PC-Client-Platform-Firmware-Profile-Version-1.06-Revision-52_pub-3.pdf