Most setups only have the key stored in the TPM, so all you need to get it back is a signed/trusted bootloader.

Ideally you'd want that key to be further protected with a password or some other mechanism because it's not impossible to extract TPM keys.