What is the difference between HSM and TSM? (2024)

Hardware security modules (HSM) and trusted platform modules (TPM) seemingly dothe same thing: they manage secret keys and enable data protection.

But what does “managing secrets” mean, and what’s the difference between thetwo? Before diving deeper, let’s explore why computers need help with managingtheir secrets.

What are trusted platform modules and hardware security modules for?

Sensitive data needs to be protected, that is why data centers employ physicalsecurity. But what if an attacker gains remote access to a computer system overthe Internet? Encryption can provide an additional layer of protection.Encryption algorithms use secret keys, sometimes simply called secrets. Anattacker must also know the secret to decrypt the data. The additional layer of protection greatly improves authentication.

But where do we store the keys? The good ones are long and hard to remember,and we need quite a few of them for different reasons. Storing data is whatcomputers are for. Thus, we have the Catch-22: we need computers to storeencrypted data, and we also need them to store an encryption key, which itselfis data!

The trivial example illustrates the need for devices like HSM and TPM. Theirpurpose is to allow computers to resolve the cryptography Catch-22 above.

What is a HSM?

HSM stands for hardware security module. HSMs are hardware devices that can reside on a computer motherboard, but the more advanced models are contained in their own chassis as an external device and can be accessed via the network. AWS offers AWS CloudHSM and provides a convenient services for performing asymmetric cryptographic transactions.

The basic principle of why HSMs are better than simply storing secrets on anSSD is because they allow applications to easily generate secrets and performoperations on secrets, but they do not allow them to easily read secrets.

In other words, a piece of software can use an HSM to generate a key, and senddata to an HSM for encryption, decryption or cryptographic signing, but itcannot know what the key is. In fact, even physically gaining access to an HSMis not a guarantee that the keys can be revealed. Many HSMs automaticallydestroy keys if tampering attempts are detected.

If an attacker gains access to a computer system with encrypted data, they willnot be able to decrypt it without a key. And if they gain access to an HSM,they will not be able to read the secure keys.

But HSMs can do more than just storing cryptographic keys. High-end models can offersignificant hardware acceleration of cryptographic functions such as keygeneration, encryption, decryption and cryptographic signing, digital signing and signature validation.

What is a TPM?

TPM stands for trusted platform module. TPMs are small hardware devices thatare usually embedded into computer motherboards and are available as external devices.

A TPM contains a secret key which is not accessible to the outside world.Because a TPM is usually integrated with its host computer as a TPM Chip, it can be used touniquely sign/encrypt and decrypt data created on this computer. One practicalapplication of this is securing boot: a computer UEFI will refuse to boot ifits storage device or other hardware has been tampered with, using a TPM as aroot of trust.

A TPM also allows storing other keys and performing basic cryptographicoperations, similar to an HSM. Microsoft has required TPM 2.0 for users to upgrade toWindows 11 as it requires a secure boot. Windows 11 uses the TPM as key storage forfull disk encryption and to power Windows Hello authentication method.

What is the difference between TPM and HSM?

So far it seems that a TPM is just a smaller HSM embedded onto a computermotherboard. This is not quite true:

• HSMs are more powerful. High end HSMs can be faster than a computer CPU whenperforming cryptographic operations and, in addition to enhanced security,they provide meaningful acceleration of encryption or decryption. Some areeven capable of running their own operating system and executing customprograms designed specifically to run inside of an HSM!
• HSMs are generic devices that conform to APIs such as PKCS #11. They areaccessible to any application that wants to use their services. While TPMsare usually more closely integrated with their host computers, theiroperating system, their booting sequence, or the built-in hard driveencryption.
• HSMs are meant to be used in data centers, while the scope of a TPM isusually a single system.

Usage examples for TPMs and HSMs

All iPhones contain a TPM inside, but Apple calls it T2. This chip secures thelock/unlock sequence, the booting process and provides the encryption for theiPhone’s storage. It ensures that even if the phone’s storage is physicallyremoved, it will be impossible to read elsewhere.

Another example is protecting data centers. Remote access to cloud computingresources is usually implemented using remote access protocols such as SSH,RDP, or built-in protocols for databases. The common configuration of theseprotocols requires every resource to know the key of every user. This is notonly insecure, it is also impractical when the number of servers, databases, orusers constantly grows. The NIST provides FIPS 140 guidelines on for Security Requirements for Cryptographic Modules.

A much better approach is to move away from key management to certificates, e.g.automatically-expiring keys signed by a certificate authority. This means thatinstead of protecting thousands of keys, only a single key called a certificateauthority (CA) needs to be stored in a secure place, such as an HSM.

Teleport is an open-source certificate-based multi-protocol access proxythat allows data center and cloud operators to get rid of keys in theirinfrastructure and reduce the attack surface to a single, most secure component.

Conclusion

So, what is the difference between TPM and HSM? In a nutshell, they are quitesimilar but HSMs offer more features, more performance and are available inmore form factors at a much higher price.