Loading vLEI.wiki
Fetching knowledge base...
Fetching knowledge base...
This comprehensive explanation has been generated from 30 GitHub source documents. All source documents are searchable here.
Last updated: October 7, 2025
This content is meant to be consumed by AI agents via MCP. Click here to get the MCP configuration.
Note: In rare cases it may contain LLM hallucinations.
For authoritative documentation, please consult the official GLEIF vLEI trainings and the ToIP Glossary.
A Trusted Platform Module (TPM) is a specialized security component that enhances the security and privacy of identity systems by providing hardware-based cryptographic functions. TPMs create a hardware root-of-trust that operates independently of the main processor and operating system, offering protection against software-based attacks and key compromise.
TPMs can be implemented in three forms:
TPMs provide two primary categories of security services relevant to KERI and cryptographic identity systems:
TPMs can generate, store, and protect encryption keys and authentication credentials used to verify the identity of users or devices. This hardware-backed storage provides:
For KERI controllers, TPMs can secure the used for signing in the , providing hardware-backed protection against .
Physical TPM chips (discrete TPMs or fTPMs integrated into processors) provide the strongest security guarantees through hardware isolation. Firmware TPMs (fTPMs) and virtual TPMs (vTPMs) offer convenience but may have reduced security properties depending on implementation.
Modern implementations should use TPM 2.0 (ISO/IEC 11889), which provides:
When integrating TPMs with KERI implementations:
TPMs have constraints that implementers should understand:
TPMs can measure and attest the integrity of software and firmware running on a system, ensuring components have not been tampered with or compromised. This creates a verifiable chain of trust from hardware through the software stack:
While TPMs are not explicitly required by KERI specifications, they align strongly with KERI's emphasis on cryptographic security and key management best practices. TPMs can enhance KERI implementations by:
TPMs provide hardware-backed storage for KERI controller private keys and seeds, protecting against:
TPMs complement Trusted Execution Environments (TEE) by providing:
The zero-trust computing principles outlined in KERI documentation explicitly recommend using TPMs alongside TEEs and HSMs for securing key management operations.