What are the differences between TPM and HSM?

Trusted Platform Modules

A Trusted Platform Module (TPM) is a hardware chip on the computer’s motherboard that stores cryptographic keys used for encryption. Many laptop computers include a TPM, but if the system doesn’t include it, it is not feasible to add one. Once enabled, the Trusted Platform Module provides full disk encryption capabilities. It becomes the "root of trust" for the system to provide integrity and authentication to the boot process. It keeps hard drives locked/sealed until the system completes a system verification, or authentication check.

The TPM includes a unique RSA key burned into it, which is used for asymmetric encryption. Additionally, it can generate, store, and protect other keys used in the encryption and decryption process.

Hardware Security Modules

A hardware security module (HSM) is a security device you can add to a system to manage, generate, and securely store cryptographic keys.

High performance HSMs are external devices connected to a network using TCP/IP. Smaller HSMs come as expansion cards you install within a server, or as devices you plug into computer ports.

One of the noteworthy differences between the two is that HSMs are removable or external devices. In comparison, a TPM is a chip embedded into the motherboard. You can easily add an HSM to a system or a network, but if a system didn’t ship with a TPM, it’s not feasible to add one later. Both provide secure encryption capabilities by storing and using RSA keys.

Source: https://blogs.getcertifiedgetahead.com/tpm-hsm-hardware-encryption-devices/

Sorry, but I think there are some gaps in this conversation:

1. TPMs can't be added later : False. Many modern motherboards include a header to which a TPM can be added after the fact. Visit Amazon and look at the TPM modules cards for MSI, Asus, and other motherboards
2. HSMs are typically removed or network attached : False. HSMs can be embedded in a range of hardware from FIPS 140-3 compliant rack mount chassis, to PCI-E cards, to USB keys, to MicroSD cards

The primary difference is in use. TPMs are meant to provide a hardware root of trust to enable secure computing by providing a secure key storage enclave with minimal cryptographic functions primarily in the signing and signature verification space. Some one did outline the primary use cases ... storage of drive encryption keys and validation of signatures on boot loaders, kernels, and device drivers. Note, much of this can be accomplished without a TPM (secure boot with bios that support Windows WHQL including default Microsoft keys), password based disk encryption. TPMs typically cost between $7 USD (as part of the bill of materials for a custom board) to $15 USD (as a pluggable module for after market modification). TPMs can include smart card reader / virtual smart card functionality.

HSMs typically have two primary, closely related functions. The first function is hardware enabled / accelerated cryptographic functions including encipherment, decipherment, key generation, PRNG functions, and related signing/signature validation functions. Typically these are hardware accelerated by onboard FPGA or ASIC (or a combination). The second function typically is a smart card reader with / without virtual smart card for key / certification storage with enhanced (PIN) based protections. The integration of the two provides a powerful model for using hardware to generate a non-exportable certificate embedded within the virtual smart card. HSMs can run from tens of thousands of dollars (for chassis based solutions) to thousands of dollars (for PCIE cards) to 100s of dollars (USB) to 10s of dollars (for H-SDC versions).

In my experience, TPMs are primarily used for key storage, HSMs are primarily used for hardware accelerated cryptography with key storage.

TPMs are very exactly specified parts wrt to function and security level they provide (https://www.trustedcomputinggroup.org).

It has fixed function, is a rather low cost and yet high security chip (less than $2.00). The purpose is to serve as a ‚root of trust‘ on a platform. Also they are tested and certified to withstand a defined level of side-channel/observing attacks, semi-invasive/fault attacks and even invasive attacks.

In contrast the term HSM essentially just says „hardware security module“ and this leads to an ambiguity and variety of interpretations.

Traditionally an HSM is module that is optimized to generate AES, RSA or ECC keys and certificates in very high performance. Imagine you run a web-server that shall be able to quickly establish hundreds or thousands of https (SSL/TLS) session. This requires a massive crypto performance (i.e. key generation). HSMs do this - very fast! They are not necessarily well protected sophisticated against attacks, since they are usually operated in a secure environment. However they typically are packaged in a way that provides tamper resistance and evidence. Big difference to TPMs: these modules cost $1000s upwards. It‘s low volume specially designed silicon and comes e.g. on PCIexpress boards where the customer can scale the required performance by plugging in multiple HSMs on his motherboard/rack. The TPM market is north of 100mio pcs/yr. And by definition there is 1 TPM ‚bound‘ (=mostly ‚soldered‘) to the platform.

Other forms of „HSM“ interpretations: Some use the term HSM ambiguously e.g. even for the TrustZone in the ARM-A series family or anything where there is a dedicated security processor in a more general (multi-core) CPU.