If the device is just plugged in all the time and unlocking the computer involves copying the key from the device's memory to the host's memory then you may as well just keep the key encrypted on disk. The device adds no security. |
Well, the TPM is soldered on the mainboard, or even built into the CPU. So, yeah, we can say that it is "plugged in all the time" – though it will
not allow access to certain objects (e.g. keys), unless proper authorization was provided. In theory, all crypto operations could be done
inside the TPM, so that the key
never needs to leave the TPM. But, for the use case of disk encryption, this would be
way too slow, I suppose. That's probably why they read the encryption key from the TPM's NV-RAM into the "normal" RAM, once it has been unlocked.
The only situation I can see where storing the key in the TPM provides a real advantage is when the attacker steals your hard-disk, but
not the whole machine with the TPM. In that case, the attacker really has
no way to get the encryption key from the TPM. Still, the attacker could do a "brute-force" attack on the encryption key. But, if we assume that the encryption key in the TPM is ~256 bit in size and was generated totally random (
not derived from a passphrase), chances for successfully brute-forcing the key is practically zero.
On the other hand, if we simply used a KDF to derive the key from the user's passphrase, then the chance for successfully brute-forcing the passphrase/key should
also be pretty close to zero – provided that the used KDF is sufficiently slow (e.g. Argon2 with proper settings).