Jira (PUP-7137) Support Using TPM-Backed SSL Private Keys for Puppet Agent

Tray Torrance (JIRA)

unread,

Jan 26, 2017, 8:12:03 PM1/26/17

to puppe...@googlegroups.com

Tray Torrance updated an issue

Puppet /

PUP-7137

Support Using TPM-Backed SSL Private Keys for Puppet Agent

Change By:	Tray Torrance

Today, the puppet agent requires its SSL private keys to be stored on disk, optionally encrypted with a password.

On a system with a TPM, and the openssl TPM engine available, the ruby code to retrieve a private key from the TPM is incredibly simple:
{noformat}
# Load All Available Engines
OpenSSL::Engine.load
tpm = OpenSSL::Engine.by_id('tpm')
key = tpm.load_private_key('/path/to/tss_blob.pem')
{ nformat noformat }

(Note that {{tss_blob.pem}} is the intermediate file generated by the supporting tools for the OpenSSL TPM engine)

With a simple config flag, the Puppet agent could support loading the private key from the TPM (or, due to the Engine API, any arbitrary OpenSSL) engine. The above code would effectively replace a call to {{wrapped_class#new}} in {{Puppet::SSL::Key}}.

Given the niche set of users this likely applies to, it would almost certainly be safe to assume (for now) that users of this feature are comfortable with initializing the TPM out-of-band, and installing the TSS blob at {{$ssldir/private_keys/$fqdn.pem}}, as well as installing the engine, etc.

Add Comment

This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)

Tray Torrance (JIRA)

unread,

Jan 26, 2017, 8:12:24 PM1/26/17

to puppe...@googlegroups.com

Tray Torrance created an issue

Puppet /

PUP-7137

Support Using TPM-Backed SSL Private Keys for Puppet Agent

Issue Type:	Bug
Assignee:	Unassigned
Created:	2017/01/26 5:11 PM
Priority:	Normal
Reporter:	Tray Torrance

Today, the puppet agent requires its SSL private keys to be stored on disk, optionally encrypted with a password.

On a system with a TPM, and the openssl TPM engine available, the ruby code to retrieve a private key from the TPM is incredibly simple:

Load All Available Engines

OpenSSL::Engine.load
tpm = OpenSSL::Engine.by_id('tpm')
key = tpm.load_private_key('/path/to/tss_blob.pem') {nformat}

(Note that tss_blob.pem is the intermediate file generated by the supporting tools for the OpenSSL TPM engine)

With a simple config flag, the Puppet agent could support loading the private key from the TPM (or, due to the Engine API, any arbitrary OpenSSL) engine. The above code would effectively replace a call to wrapped_class#new in Puppet::SSL::Key.

Given the niche set of users this likely applies to, it would almost certainly be safe to assume (for now) that users of this feature are comfortable with initializing the TPM out-of-band, and installing the TSS blob at $ssldir/private_keys/$fqdn.pem, as well as installing the engine, etc.

Add Comment

Tray Torrance (JIRA)

unread,

Jan 26, 2017, 8:19:02 PM1/26/17

to puppe...@googlegroups.com

Tray Torrance updated an issue

Puppet /

PUP-7137

Support Using TPM-Backed SSL Private Keys for Puppet Agent

Change By:	Tray Torrance

Today, the puppet agent requires its SSL private keys to be stored on disk, optionally encrypted with a password.

On a system with a TPM, and the openssl TPM engine available, the ruby code to retrieve a private key from the TPM is incredibly simple:

{noformat}
# Load All Available Engines

OpenSSL::Engine.load
tpm = OpenSSL::Engine.by_id('tpm')
key = tpm.load_private_key('/path/to/tss_blob.pem')

{noformat}

(Note that {{tss_blob.pem}} is the intermediate file generated by the supporting tools for the OpenSSL TPM engine)

With a simple config flag, the Puppet agent could support loading the private key from the TPM (or, due to the Engine API, any arbitrary OpenSSL) engine. The above code would effectively replace a call to {{wrapped_class#new}} in {{Puppet::SSL::Key}}.

Given the niche set of users this likely applies to, it would almost certainly be safe to assume (for now) that users of this feature are comfortable with initializing the TPM out-of-band, and installing the TSS blob at {{$ssldir/private_keys/$ fqdn certname .pem}}, as well as installing the engine, etc.

Add Comment

John Duarte (JIRA)

unread,

Feb 22, 2017, 11:27:02 AM2/22/17

to puppe...@googlegroups.com

John Duarte updated an issue

Puppet /

PUP-7137

Support Using TPM-Backed SSL Private Keys for Puppet Agent

Change By:	John Duarte
Team:	Agent & Platform

Add Comment

Branan Riley (JIRA)

unread,

May 16, 2017, 5:38:05 PM5/16/17

to puppe...@googlegroups.com

Branan Riley updated an issue

Puppet /

PUP-7137

Support Using TPM-Backed SSL Private Keys for Puppet Agent

Change By:	Branan Riley
Labels:	triaged

Add Comment

Branan Riley (JIRA)

unread,

May 16, 2017, 5:38:05 PM5/16/17

to puppe...@googlegroups.com

Branan Riley updated an issue

Puppet /

PUP-7137

Support Using TPM-Backed SSL Private Keys for Puppet Agent

Change By:	Branan Riley
Labels:	help_wanted triaged

Add Comment

Branan Riley (JIRA)

unread,

May 16, 2017, 5:39:05 PM5/16/17

to puppe...@googlegroups.com

Branan Riley commented on

PUP-7137

Re: Support Using TPM-Backed SSL Private Keys for Puppet Agent

This is something that we are unlikely to do soon, but we will keep it in mind as we clean up our SSL code in the future.

Add Comment

Josh Cooper (JIRA)

unread,

Apr 23, 2019, 6:14:03 PM4/23/19

to puppe...@googlegroups.com

Josh Cooper updated an issue

Puppet /

PUP-7137

Support Using TPM-Backed SSL Private Keys for Puppet Agent

Change By:	Josh Cooper
Sprint:	Coremunity Grooming

Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

Josh Cooper (JIRA)

unread,

May 2, 2019, 12:40:03 PM5/2/19

to puppe...@googlegroups.com

Jorie Tappa (JIRA)

unread,

May 13, 2019, 12:42:03 PM5/13/19

to puppe...@googlegroups.com

Jorie Tappa updated an issue

Puppet /

PUP-7137

Support Using TPM-Backed SSL Private Keys for Puppet Agent

Change By:	Jorie Tappa
Sprint:	Coremunity Grooming

Add Comment

Josh Cooper (JIRA)

unread,

Jul 19, 2019, 7:13:03 PM7/19/19

to puppe...@googlegroups.com

Josh Cooper updated an issue

Puppet /

PUP-7137

Support Using TPM-Backed SSL Private Keys for Puppet Agent

Change By:	Josh Cooper
Sprint:	Coremunity Grooming

Add Comment

Josh Cooper (Jira)

unread,

Jun 5, 2020, 6:26:03 PM6/5/20

to puppe...@googlegroups.com

Josh Cooper commented on

PUP-7137

Re: Support Using TPM-Backed SSL Private Keys for Puppet Agent

Puppet's agent SSL code has been rewritten, and there is now a Certificate service provider that knows how to load private keys and certs from the file system. It would be fairly easy to override that with a service provider that knows how to load private keys from a TPM module. Although I think this would be useful, we haven't received enough interest to move forward with this, so I'm going to close it. If anyone is interested in taking this on, please reopen.

Add Comment

This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)

Paul Were (Jira)

unread,

Apr 27, 2021, 1:58:02 PM4/27/21

to puppe...@googlegroups.com

Paul Were updated an issue

Puppet /

PUP-7137

Support Using TPM-Backed SSL Private Keys for Puppet Agent

We have a new customer DocuSign that has a great interest in using TPM to secure their certificates. They would like to see this feature as part of PE.

Can we re-open this request again and evaluate the possibility of delivering the feature?

Add Comment

This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)

Reply all

Reply to author

Forward