TLSPROXY with a Trusted Platform Module (TPM)
TLSPROXY can use hardware-backed cryptographic keys on devices that have a TPM.
When this feature is enabled, hardware-backed cryptographic keys are used to:
- encrypt local data (the data cannot be used or recovered on a different device),
- sign authentication tokens,
- sign the PKI certificates, OCSP responses, and CRLs.
To enable this feature, set hwBacked: true in config.yaml. This option cannot
be changed without manually deleting the entire cache directory.
The TLSPROXY process needs access to /dev/tpm0 and/or /dev/tpmrm0 on linux.
On docker, use --device /dev/tpmrm0:/dev/tpmrm0:rwm and make sure the
container's userid has access to /dev/tpmrm0.