spire icon indicating copy to clipboard operation
spire copied to clipboard

Published 20 hours ago verified publisher icon spiffe

tpm-based key manager

Open amoore877 opened this issue 5 years ago • 1 comments

It would be nice to have a TPM-based key manager that Agent and Server could use, as an alternative to in-memory and disk-based. Actual usage would obviously depend upon the deployment environment having access to TPMs or similar implementation

amoore877 avatar Nov 04 '19 16:11 amoore877

Some overlap server-side with HSM support: #525

zmt avatar Feb 01 '21 23:02 zmt

Honestly I'm surprised there's no PIV / PKCS#11 support in SPIRE, let alone TPM support. Would have thought it would be an obvious necessity to acheive hardware-backed node attestation and cert issuance ?

udf2457 avatar Mar 31 '23 11:03 udf2457

SPIRE does have node attestor TPM support for hardware using DevID. There is also a popular community-supported TPM plugin used in cases where there is no DevID. The latter may one day be merged upstream as well.

This issue is specifically about support for sealing agent key material against a TPM.

evan2645 avatar Mar 31 '23 16:03 evan2645

Also be aware that there is a DevID provisioning tool that probably needs a bit of work before it can be made production-worthy. https://github.com/HewlettPackard/devid-provisioning-tool

bnevis-i avatar Apr 03 '23 15:04 bnevis-i

This issue is stale because it has been open for 365 days with no activity.

github-actions[bot] avatar Apr 02 '24 22:04 github-actions[bot]

This issue was closed because it has been inactive for 30 days since being marked as stale.

github-actions[bot] avatar May 03 '24 22:05 github-actions[bot]