diff --git a/hosts/herugrim/default.nix b/hosts/herugrim/default.nix
index f64e553..00b5a36 100644
--- a/hosts/herugrim/default.nix
+++ b/hosts/herugrim/default.nix
@@ -53,6 +53,7 @@
     device = {
       virtual-machine = false;
       cpu.type = "intel";
+      hasTPM = true;
     };
 
     home-manager = {
diff --git a/options/device/hardware.nix b/options/device/hardware.nix
index b90d42b..6151d84 100644
--- a/options/device/hardware.nix
+++ b/options/device/hardware.nix
@@ -19,5 +19,11 @@ in
       default = false;
       description = "Is this system a virtual machine?";
     };
+
+    hasTPM = mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Does this device have a TPM (Trusted Platform Module)?"
+    }
   };
 }
diff --git a/system/hardware/default.nix b/system/hardware/default.nix
index c91c827..8674054 100644
--- a/system/hardware/default.nix
+++ b/system/hardware/default.nix
@@ -1,5 +1,6 @@
 _: {
   imports = [
     ./cpu
+    ./tpm.nix
   ];
 }
diff --git a/system/hardware/tpm.nix b/system/hardware/tpm.nix
new file mode 100644
index 0000000..e2dc62b
--- /dev/null
+++ b/system/hardware/tpm.nix
@@ -0,0 +1,26 @@
+{ config, lib, pkgs, ... }: let
+  inherit (lib) mkIf;
+
+  enabled = config.device.hasTPM;
+in {
+  config = mkIf enabled {
+    security.tpm2 = {
+      # enable Trusted Platform Module 2 support
+      enable = true;
+
+      # enable Trusted Platform 2 userspace resource manager daemon
+      abrmd.enable = mkDefault false;
+
+      # The TCTI is the "Transmission Interface" that is used to communicate with a
+      # TPM. this option sets TCTI environment variables to the specified values if enabled
+      #  - TPM2TOOLS_TCTI
+      #  - TPM2_PKCS11_TCTI
+      tctiEnvironment.enable = mkDefault true;
+
+      # enable TPM2 PKCS#11 tool and shared library in system path
+      pkcs11.enable = mkDefault false;
+    };
+
+    environment.systemPackages = with pkgs; [ tpm2-tss tpm2-tools ];
+  };
+}