There is a great video that's come out of linux.conf.au 2016 where Matthew Garrett talks about Trusted Platform Modules (TPMs) what they are, what they can do and how you can use them to secure your computer.
Before watching the video I was vaguely aware that there are these things called TPMs and they can be used for a bunch of fancy crypto stuff including being able to sign things with keys that are not stored1 on the computer either on the disk or in memory so that even if the system is compromised the key can't be recovered. I also knew it could do some fancy stuff with the boot process so that you could verify that your system's boot had not been tampered with. This could be used to stop an "Evil Maid attack" where someone replaces your kernel with a back doored one, as I mentioned in my post on Setting Up Full Disk Encryption on Debian Jessie.
After watching Matthew excellent talk I feel that I have a much deeper understanding of what a TPM is and what it can do. One of the nice things you can do with a TPM is get it to display a TOTP code like the ones used in most 2 factor authentication solutions that will only be accurate if you boot hasn't been tampered so you can be sure that the prompt asking for your passphrase to decrypt your disks is not backdoored.2
So now while I'm still confused and uncertain about TPMs, it's on a much higher plane.3
Technically the key might be stored on the disk, but that key is encrypted with a key that is in the TPM so as Matthew says "It's like having some ones private GPG key that's been passphrase encrypted, you can't actually use it without knowing the decryption key." ↩
I'll admit I'm not sure how practical this is, it seems like too much work and even paranoid users will give it up at some time. But it's still cool that you can do it. ↩