The security of resource-constrained IoT devices hinges on robust key-management schemes that balance strong protection. In this paper, we propose and evaluate a hybrid architecture that combines a hardware root of trust provided by a Trusted Platform Module (TPM) with the ultra-fast, secure BLAKE3 hash function as a key-derivation primitive. Each device’s unique endorsement key (EK) and platform measurements are sealed within its TPM, ensuring that private key material never leaves secure hardware. At runtime, a device and server perform a mutually authenticated handshake: the TPM attests to device integrity, and both parties derive session keys via BLAKE3-based HKDF using TPM-protected secrets and nonces. We implement our scheme on a representative ARM-based microcontroller platform and measure end-to-end key- establishment latency, energy consumption, and resilience to common IoT attacks (replay, man- in-the-middle, and device impersonation). Our results show that TPM-backed attestation adds less than 15 ms of overhead, while BLAKE3-driven key derivation completes in under 1 ms and requires only 12 kB of RAM—demonstrating that strong, hardware-anchored key management is feasible even on severely constrained devices. We conclude that the integration of TPM attestation with BLAKE3 KDF offers a scalable, forward-secure foundation for next-generation IoT deployments.