Thanks to work by Intel and Microsoft, TPMs are ubiquitous in today’s hardware, from tablets all the way to servers, and Thanks to Microsoft, the most recent incarnation: TPM 2.0 is being deployed reasonably universally. TPMs can perform four essential functions: secure measurement and logging, secure signing, encryption, and private key escrow, data sealing, and attestation. (TPMs  can be divided into two classes: the modern 2.0 incarnation required by  Microsoft and used in the Surface and newer systems and the older (and much more common) 1.2 System.  Although his talk will mention the Older1.2 stack because it can do a significant subset of the 2.0 features, it will concentrate on 2.0 (because that's the one James has in his laptop).  Most people have heard (at length) about measurement and all its problems. Here, We will explain how secure signing can be made to function where an external key is irretrievably (so that neither hackers nor the cloud service provider can get it) placed into a TPM and used to perform a variety of RSA authentication operations. The useful target for this is VPN, but there are a variety of other authentication systems for which this can be made to work. We also demonstrate how an existing RSA key can be wrapped for secure transmission to the TPM and then used via the OpenSSL engine functions, how an agreed PCR  timer can make this key expire after an agreed interval, why it cannot ever be retrieved, and how the trust model actually works. And for the paranoid who don’t trust their own cloud provider, James covers how the TPM attestation functions can be used to verify exactly that you weren’t tricked into wrapping the key for a software-based TPM, which could allow the trickster to steal your private key. James then explains how sequestered trust models like the TPM can be used in the industry to enhance security even in an apparently insecure environment.