It's certainly possible to use TPM to secure user-provided keys (which is what Windows uses for its BitLocker software, btw). In this mode TPM stores your symmetric encryption keys and only releases them if your boot chain is secure.
It's also possible to use TPM to generate an RSA keypair. In this mode TPM securely stores private key of the generated keypair. It's not possible to extract generated private key, so this mode can be used for remote attestation or for secure signatures.