The Protected Storage mechanism can protect both arbitrary data and keys. Arbitrary data is revealed by the TPM to a caller, whereas a TPM uses keys internally and never exports them. These are the main points of interest for users:
Protected Storage allows private signature keys to be stored in a way that the TPM can use them without exposing them to the host platform. An appropriately designed TPM should be able to meet the European directive on digital signing.
Bulk encryption keys or arbitrary authorization data can be stored in a way that requires cooperation of the TPM to reveal them to the host platform.
Protected data can be stored in a way that either permits duplication of the data by TCPA features (under ...