TPMs or HSMs and their role in full-disk encryption (FDE)

Graeme Messina
March 4, 2019 by
Graeme Messina

Your data can’t be secured without establishing a root of trust! Even when you perform a full-disk encryption to encode all of your data, you must first place your trust somewhere. Why not place it in a TPM or HSM?

You might be asking yourself: What are these technologies, and how do they actually help to keep your data safe and secure? To find out, we’ll have to look at each one to discover what makes them tick and which is the better of the two in 2019.

Learn Applied Cryptography

Learn Applied Cryptography

Build your applied cryptography and cryptanalysis skills with 13 courses covering hashing, PKI, SSL/TLS, full disk encryption and more.

The two technologies are similar in a sense, because they both relate to encryption and security. However, we’ll soon see the way that they operate and the way that they are implemented are very different.

What is a TPM?

TPM stands for Trusted Platform Module and is basically an electronic chip that is built into a circuit such as a system board or main board on a computer or laptop. This chip stores special encoding information and holds the keys that your system needs to encrypt certain data relating to your system. The most common task associated with a TPM is FDE, or Full-Disk Encryption.

This could be thought of as a local security measure that lets your system communicate securely with your operating system. This means that if your hard drive is cloned and connected to another machine, it will not be readable without the cryptographic data contained on the TPM, making the data useless to anyone but you. This makes your system secure before the login screen even appears when booting into the operating system, which is great for corporate users and government IT equipment with confidential data stored on it. FDE ensures that your data cannot be read by anyone else.

Most TPM chips contain a special encryption algorithm known as an RSA key. This key is extremely difficult to crack, which makes it ideal for security applications. It is also used for storing additional keys, which makes it act like a nested security device that requires several layers of decryption if an attacker wishes to decrypt your system’s hard drive.

What is an HSM?

An HSM is a Hardware Security Module which, instead of being soldered directly to your motherboard, can be added to your system as a USB device or exist in a secure segment of a network as a trusted server. An HSM could be as simple as a consumer-level device or be an enterprise-grade appliance. Most banking software ships with a specialized hardware key, much like a security dongle. This device is paired with a specific account and cannot be copied or cloned. It cannot be interfered with by external code and is therefore very secure.

More secure devices, such as those found within an enterprise or governmental network, will connect into the network as an appliance and be contactable over the network. HSMs are more general-purpose security devices with better hardware capabilities, which allows them to perform multiple security operations for a multitude of devices and users, depending on how the technology has been implemented.

You can think of an HSM as being a system that is used in conjunction with purpose-built hardware and software and is installed in an isolated location on the network. HSM systems also actively conceal the cryptographic functions that they perform, adding to the security of the way that it operates even further.

What is KMS?

KMS (Key Management System) is a newer technology than both TPM and HSM. Key management systems are more modern implementations of cryptographic security and can operate across multiple platforms like cloud and hybrid environments. Things start to get complicated because each cloud service generally handles security in their own unique way, so if you use two unrelated vendors for specific applications or services, then you would have to have specific HSM standards for each.

KMS seeks to manage multiple environments from a single solution, especially in a cloud setup. This means that companies can enjoy benefits of the cloud, such as scaling and redundancy, while still enjoying the security that is required to operate successfully.

KMS also has its limitations, especially where multiple cloud providers are a requirement for companies to operate. There are other technologies available such as AWS CloudHSM, which does a lot of control functions such as scaling and management of your cloud services while keeping everything secure.

Which is better?

As with all technologies, there are certain scenarios where one of these two device types will be more useful or effective than the other. For example, an HSM is an effective tool to use on the network when encrypting customer data in a bank, while a TPM is able to encrypt local files and password-protect a hard drive for an offline device such as a laptop that not connected to the network.

HSMs are also designed to be very fast at performing certain decryption tasks, which means that performance improvements are very real where an HSM solution is implemented as a replacement for a traditional server client setup. HSM makes sense where a local deployment is necessary, and this is traditionally where the technology has been used, especially for financial institutions such as banks.

KMS is a more modern approach that lets businesses that have gone to the cloud still interact with local data while still maintaining security. This is great news for companies that are expanding with cloud deployments, as it gives them all of the flexibility that they need without having to compromise on security.


The technologies that keep your data safe have changed drastically over the years, from simple encryption installed on a local device in a single electronic chip to specialized hardened networks that operate over corporate WANs and cloud hybrid solutions.

FIPS (Federal Information Processing Standards) is the set of standards that dictates how data should be encrypted and transmitted, which has seen several revisions over the years. The current standard is FIPS 140-2.

We are likely to see further developments in this space as security becomes more of a concern for businesses and governments, especially where legislation is concerned. Companies will need to remain compliant if they wish to do business in certain countries and territories, which is almost certain to drive innovation and newer, more secure technologies.

Learn Applied Cryptography

Learn Applied Cryptography

Build your applied cryptography and cryptanalysis skills with 13 courses covering hashing, PKI, SSL/TLS, full disk encryption and more.


Graeme Messina
Graeme Messina

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.