I’ve been thinking a lot about security for edge devices lately. If you’re deploying IoT devices or edge computing nodes “in the wild,” you’re facing a fundamentally different security challenge than traditional datacenter deployments. Let me tell you why I believe Trusted Platform Modules (TPMs) are essential for these scenarios.
The problem with edge security
Edge computing devices live dangerous lives. Unlike servers in datacenters – with their badge access, security cameras, and climate-controlled environments – edge devices often exist in completely exposed settings:
- Industrial IoT devices on factory floors
- Smart city sensors on street poles
- Agricultural monitors in remote fields
- Retail point-of-sale systems accessible to the public
- Energy monitoring equipment in unstaffed facilities
These devices face physical security threats that datacenter equipment simply doesn’t. Someone could literally walk away with your device, open it up on a workbench, and start probing.
The file system is not your friend
The standard approach to securing device credentials looks something like this:
/etc/secrets/
├── device_private_key.pem
├── device_certificate.pem
└── ca_certificate.pem
With file permissions set to something like:
chmod 600 /etc/secrets/device_private_key.pem
chown root:root /etc/secrets/device_private_key.pemThis might seem reasonable at first glance. After all, only root can read the private key, right?
But here’s the reality: if someone has physical access to your device, file permissions mean almost nothing.
An attacker can:
- Remove the storage media and mount it on another system
- Boot from a different OS that ignores your file permissions
- Exploit a vulnerability to gain root access
- Read the raw storage device directly, bypassing the filesystem entirely
- In some cases, even access memory to capture keys when they’re in use
Enter the TPM: Security in hardware
A Trusted Platform Module (TPM) is a specialized hardware chip designed specifically to address these problems. It’s a small, dedicated security processor that provides cryptographic functions and secure storage.
The magic of a TPM is simple: private keys never leave the chip. Even if an attacker has complete control over your operating system and filesystem, they can’t extract the private keys stored in the TPM.
Here’s what a basic TPM looks like:
Image: Gigabyte
Modern devices often have TPMs built in. They’re standard on business laptops and increasingly common on IoT and edge computing platforms.
How TPM protects your secrets
The TPM approach to security is fundamentally different from filesystem security:
-
Hardware isolation: Cryptographic keys are stored in the TPM’s secure storage, physically isolated from the main system.
-
Non-extractable keys: Private keys generated in the TPM can be marked as “non-extractable,” meaning they can never be read, even by authorized software. They can only be used for operations like signing or decryption.
-
Cryptographic operations happen inside the TPM: When your application needs to sign data with a private key, it sends the data to the TPM, which performs the signing operation internally and returns only the signature.
-
Physical tamper resistance: TPMs are designed to resist physical attacks. Attempting to physically probe the chip typically results in the destruction of the secrets it contains.
Let’s look at a simplified comparison:
Filesystem approach:
Application → Reads private key from file → Loads key into memory → Performs crypto operations
TPM approach:
Application → Sends data to TPM → TPM performs crypto operations internally → Returns only the result
The key difference: with a TPM, the private key never exists in the main system’s memory or storage.
Beyond key protection: What else can TPM do?
TPMs offer several other security features that are valuable for edge devices:
-
Secure boot: Verify that your device boots only authorized software.
-
Remote attestation: Prove to a remote server that your device is running trusted software.
-
Sealed storage: Encrypt data in a way that it can only be decrypted when the system is in a known-good state.
-
Random number generation: Generate high-quality random numbers for cryptographic operations.
-
Monotonic counters: Prevent replay attacks by maintaining counters that only increase.
For edge devices that might process sensitive data or control critical infrastructure, these capabilities can be essential.
Is TPM perfect? No, but it’s much better
TPMs aren’t magical security devices that solve all problems. They have limitations:
- They’re not designed to resist sophisticated hardware attacks (like electron microscopy)
- They can sometimes be vulnerable to side-channel attacks
- They don’t protect against all software vulnerabilities
However, they raise the bar significantly. Instead of trivial extraction of keys from the filesystem, an attacker would need specialized equipment and expertise to attempt to extract secrets from a TPM.
For edge devices in physically exposed locations, this difference is crucial. A TPM transforms your device from “completely vulnerable to anyone with physical access” to “resistant to all but the most determined and well-equipped attackers.”
Conclusion: TPM should be standard for edge security
If you’re deploying devices outside of controlled environments, I strongly believe TPM or similar hardware security should be a standard requirement. The difference in security posture is too significant to ignore.
The old security model of “trust the filesystem and OS” simply doesn’t work when devices can be physically accessed, removed, or tampered with. Hardware-based security provides a foundation that remains strong even when physical security and operating system integrity cannot be guaranteed.
For my own projects, I’ve made TPM support a non-negotiable requirement for any edge deployment. The peace of mind is well worth the small additional cost and implementation effort.
Have you implemented TPM security on your edge devices? Or have you experienced security incidents with exposed edge devices? I’d love to hear about your experiences.