What is the primary reason for using public-key cryptography during TLS handshake?

Public-key cryptography is used during the TLS handshake primarily to establish a shared secret that both sides can use as the session key for symmetric encryption. The handshake authenticates the server (via its certificate) and then uses an asymmetric mechanism—such as an agreed key-exchange method—to securely derive a random symmetric key. Once this session key is in place, the actual data transfer uses fast symmetric encryption, which is suitable for large volumes of data. This approach is preferred because public-key cryptography is computationally intensive, so encrypting all session data directly with it would be inefficient. By securely exchanging a symmetric session key, TLS combines the authentication and key protection benefits of public-key cryptography with the speed of symmetric encryption for the bulk of the communication. The other ideas don’t fit the primary purpose: public-key cryptography isn’t used to encrypt all data directly, it isn’t about backward compatibility, and TLS relies on certificates for server authentication rather than passwords.