|If the device is just plugged in all the time and unlocking the computer involves copying the key from the device's memory to the host's memory then you may as well just keep the key encrypted on disk. The device adds no security. |
Well, the TPM is soldered on the mainboard, or even built into the CPU. So, yeah, we can say that it is "plugged in all the time" – though it will not
allow access to certain objects (e.g. keys), unless proper authorization was provided. In theory, all crypto operations could be done inside
the TPM, so that the key never
needs to leave the TPM. But, for the use case of disk encryption, this would be way
too slow, I suppose. That's probably why they read the encryption key from the TPM's NV-RAM into the "normal" RAM, once it has been unlocked.
The only situation I can see where storing the key in the TPM provides a real advantage is when the attacker steals your hard-disk, but not
the whole machine with the TPM. In that case, the attacker really has no
way to get the encryption key from the TPM. Still, the attacker could do a "brute-force" attack on the encryption key. But, if we assume that the encryption key in the TPM is ~256 bit in size and was generated totally random (not
derived from a passphrase), chances for successfully brute-forcing the key is practically zero.
On the other hand, if we simply used a KDF to derive the key from the user's passphrase, then the chance for successfully brute-forcing the passphrase/key should also
be pretty close to zero – provided that the used KDF is sufficiently slow (e.g. Argon2 with proper settings).