gRPC TLS with OpenSSL 3 TPM2 Provider – Private Key

115 views
Skip to first unread message

Vishakha Rastogi

unread,
Jun 11, 2026, 9:17:33 AMJun 11
to grpc.io

Hi everyone,

I am trying to secure a gRPC connection using OpenSSL 3 with private keys stored in a TPM.

The private key was generated using the TPM2 OpenSSL provider, and I can successfully access and use the key through OpenSSL. However, when I provide the TPM-backed private key reference/path to the gRPC server for TLS configuration, gRPC reports that the private key is missing or cannot be loaded.

My questions are:

  1. Does gRPC support TPM2/OpenSSL provider-based keys directly?
  2. Is there a way to configure gRPC to use a TPM-backed private key without exporting the key material?
  3. Has anyone successfully integrated OpenSSL 3 providers (specifically TPM2 provider) with gRPC TLS credentials?

Environment:

  • gRPC: 1.62.0
  • OpenSSL: 3.2.6
  • TPM2 OpenSSL Provider: 1.1.1

Any guidance or examples would be greatly appreciated.

Thanks!

Gregory Cooke

unread,
Jun 22, 2026, 1:31:31 PM (11 days ago) Jun 22
to grpc.io
Hello,

Can you tell us some more about your setup - are you using gRPC built with a custom OpenSSL version, or are you using a pre-built gRPC release? Further, can you provide a code snippet of how you tried to load the private key?

We have a PrivateKeySigner API.  However, using this API is only supported with the standard BoringSSL build.

Vishakha Rastogi

unread,
Jun 29, 2026, 1:53:41 AM (4 days ago) Jun 29
to grpc.io
Hello,

I am using gRPC built with a custom OpenSSL version.

  • gRPC: 1.62.0
  • OpenSSL: 3.2.6

I am creating a TPM-backed private key using the following command:

openssl genpkey -provider tpm2 -provider base -algorithm RSA -out test.key

Previously, when using the TPM engine (tpm2tss), I was able to pass the private key to gRPC by specifying the key path with the engine:tpm2tss prefix.

Since the engine is now deprecated and I have migrated to the TPM2 provider, I am unable to pass the TPM-backed private key to gRPC.

Could you please advise on the correct way to use a TPM2 provider-based private key with gRPC/OpenSSL?


Gregory Cooke

unread,
Jun 29, 2026, 4:27:08 PM (4 days ago) Jun 29
to Vishakha Rastogi, grpc.io
I'm not sure off the top of my head how to configure a TPM backed key with gRPC with OpenSSL3.

With BoringSSL, one can implement the PrivateKeySigner interface to use a private key in a more generalized way.

OpenSSL experts might have a key path specification or configuration for OpenSSL3+ to still use a TPM. It looks like there might be a way to configure with `OSSL_PROVIDER` directly prior to initializing gRPC. We don't currently have an API in gRPC to hide and configure the `OSSL_PROVIDER` out of the box.

--
You received this message because you are subscribed to a topic in the Google Groups "grpc.io" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/grpc-io/OuM1-8b4DTw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to grpc-io+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/grpc-io/98560ee6-62f4-4499-821e-248340bbda2cn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages