Hi all,
We use Caddy in an embedded devices context, where it basically is the central component for a lot of network-related use cases. It is awesome! One of the use cases, of course, is TLS termination for offering HTTPS. In our context we have the need to store confidential cryptographic material securely in hardware storage. The goal would be to make use of such a mechanism by storing it in a TPM and using it with Caddy.
For this sake I implemented a proof of concept for this approach.
It includes (light) modifications to Certmagic and a fitting certmagic-tpm storage module (for handling leaf certificate keys) as well as modifications to Caddy (to handle PKI related keys).
E.g for configuring to store CAs keys in the TPM one can use:
pki {
ca local {
name "My Local TPM CA"
root_cn "My Local TPM Root CA"
intermediate_cn "My Local TPM Intermediate CA"
tpm_enabled true
tpm_device "/dev/tpmrm0"
tpm_root_handle "0x81010010"
tpm_intermediate_handle "0x81010011"
tpm_key_type "ecdsa-p256"
}
}
And for the encryption of leaf certificate keys in the filesystem:
storage tpm {
tpm_device "/dev/tpmrm0"
storage_path "./data"
key_handle 0x81000042
}
Previous to this weekend project, I had not had too much to do with TPMs and writing caddy plugins, and I am not sure if my approach is the best. But besides that, I am very interested in your opinion in general. Is it thinkable that this feature could be contributed to the upstream projects at all, or is it too niche? Do you see alternative ways this could be achieved with another approach or architectural implementations? Is the documentation helpful and understandable?
I am very thankful for any feedback and improvement ideas!
Best Regards,
Philipp