Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-7137

Support Using TPM-Backed SSL Private Keys for Puppet Agent

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Won't Do
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Template:
    • Acceptance Criteria:
      Hide

      By toggling a flag in the Puppet agent config file, I should be able to enable the use of a TPM-backed SSL key.

      Show
      By toggling a flag in the Puppet agent config file, I should be able to enable the use of a TPM-backed SSL key.
    • Team:
      Coremunity
    • QA Risk Assessment:
      Needs Assessment

      Description

      Today, the puppet agent requires its SSL private keys to be stored on disk, optionally encrypted with a password.

      On a system with a TPM, and the openssl TPM engine available, the ruby code to retrieve a private key from the TPM is incredibly simple:

      # Load All Available Engines
      OpenSSL::Engine.load
      tpm = OpenSSL::Engine.by_id('tpm')
      key = tpm.load_private_key('/path/to/tss_blob.pem')
      

      (Note that tss_blob.pem is the intermediate file generated by the supporting tools for the OpenSSL TPM engine)

      With a simple config flag, the Puppet agent could support loading the private key from the TPM (or, due to the Engine API, any arbitrary OpenSSL) engine. The above code would effectively replace a call to wrapped_class#new in Puppet::SSL::Key.

      Given the niche set of users this likely applies to, it would almost certainly be safe to assume (for now) that users of this feature are comfortable with initializing the TPM out-of-band, and installing the TSS blob at $ssldir/private_keys/$certname.pem, as well as installing the engine, etc.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              torrancew Tray Torrance
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support