Trusted Platform Modules (TPMs) are widely available on modern platforms and provide a strong hardware-based root of trust for cryptographic keys. At the same time, many applications already rely on the PKCS#11 API to interact with Hardware Security Modules (HSMs) and other secure key stores. Bridging these two worlds allows developers to take advantage of TPM-backed key protection while continuing to use a familiar, standardized cryptographic interface.
wolfSSL makes this possible by combining wolfTPM, a portable TPM 2.0 software stack, with wolfPKCS11, our lightweight PKCS#11 provider. Together, they allow a TPM or firmware TPM (fTPM) to act as a PKCS#11 token, enabling hardware-protected key storage and cryptographic operations without requiring changes to existing applications.
TPMs and PKCS#11 in Practice
TPM 2.0 devices are designed for secure key generation, storage, signing, and encryption, but the native TPM interface is rarely used directly by applications. PKCS#11, on the other hand, is a well-established standard supported by operating systems, TLS libraries, browsers, and enterprise software. By exposing TPM functionality through PKCS#11, existing applications can immediately benefit from hardware-backed keys and standardized secure cryptography.
With wolfPKCS11 layered on top of wolfTPM, PKCS#11 calls such as key generation, signing, and object management are mapped directly to TPM 2.0 commands. Keys never leave the TPM, and cryptographic operations are performed inside the trusted hardware boundary. This approach provides HSM-like behavior using TPM hardware that is already present on many systems.
wolfTPM and wolfPKCS11 Integration
wolfTPM provides a clean and portable TPM 2.0 implementation that supports discrete TPMs and firmware TPMs across embedded systems, Linux, and additional platforms. wolfPKCS11 builds on this by implementing the PKCS#11 API and mapping objects, sessions, and cryptographic operations onto TPM resources.
This integration supports common public-key algorithms such as RSA and ECC, along with secure key storage and certificate handling. When combined with wolfCrypt FIPS, this architecture can be used as part of a FIPS-aligned cryptographic solution, with keys protected by TPM hardware and operations performed through a standardized interface.
Why This Matters
Using a TPM through PKCS#11 simplifies application development and deployment. Developers can reuse existing PKCS#11-enabled software while gaining the strong security guarantees of hardware-protected keys. This is especially valuable for embedded systems, IoT devices, and enterprise environments where cost, portability, and compliance requirements rule out traditional HSMs.
By making your TPM “talk” PKCS#11, wolfSSL enables secure, interoperable, and future-proof cryptographic designs built on open standards and proven hardware security.
For more information about wolfTPM, wolfPKCS11, or FIPS-validated cryptography, contact the wolfSSL team or explore our documentation and examples.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now