Whether by design or accident, this is correct.

You backup a key or key creation mechanism or whatever elsewhere somewhere very safe.

Then almost never touch it, as the TPM authenticates.