Jira (PUP-7137) Support Using TPM-Backed SSL Private Keys for Puppet Agent
Title: Message Title
Tray Torrance created an issue
Puppet / PUP-7137
Support Using TPM-Backed SSL Private Keys for Puppet Agent
Issue Type:
Bug
Assignee:
Unassigned
Created:
2017/01/26 5:11 PM
Priority:
Normal
Reporter:
Tray Torrance
Today, the puppet agent requires its SSL private keys to be stored on disk, optionally encrypted with a password.
On a system with a TPM, and the openssl TPM engine available, the ruby code to retrieve a private key from the TPM is incredibly simple:
Load All Available Engines OpenSSL::Engine.load tpm = OpenSSL::Engine.by_id('tpm') key = tpm.load_private_key('/path/to/tss_blob.pem') {nformat}
(Note that tss_blob.pem is the intermediate file generated by the supporting tools for the OpenSSL TPM engine)
With a simple config flag, the Puppet agent could support loading the private key from the TPM (or, due to the Engine API, any arbitrary OpenSSL) engine. The above code would effectively replace a call to w
Jira (PUP-7137) Support Using TPM-Backed SSL Private Keys for Puppet Agent
Title: Message Title
Tray Torrance updated an issue
Puppet / PUP-7137
Support Using TPM-Backed SSL Private Keys for Puppet Agent
Change By:
Tray Torrance
Today, the puppet agent requires its SSL private keys to be stored on disk, optionally encrypted with a password.On a system with a TPM, and the openssl TPM engine available, the ruby code to retrieve a private key from the TPM is incredibly simple:{noformat}# Load All Available EnginesOpenSSL::Engine.loadtpm = OpenSSL::Engine.by_id('tpm')key = tpm.load_private_key('/path/to/tss_blob.pem'){ nformat noformat }(Note that {{tss_blob.pem}} is the intermediate file generated by the supporting tools for the OpenSSL TPM engine)With a simple config flag, the Puppet agent could support loading the private key from the TPM (or, due to the Engine API, any arbitrary OpenSSL) engine. The above code would effectively replace a call to {{wrapped_class#new}} in {{Puppet::SSL::Key}}.Given the niche set of users this likely applies to, it would almost certainly be safe to assume (for now) that users of this feature are comfortable with initializing the TPM out-of-band, and installing the TSS blob at {{$ssldir/private_keys/$fqdn.pem}}, as well as installing the engine, etc.
Add Comment
This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Vi
Jira (PUP-7137) Support Using TPM-Backed SSL Private Keys for Puppet Agent
Title: Message Title
Tray Torrance updated an issue
Puppet / PUP-7137
Support Using TPM-Backed SSL Private Keys for Puppet Agent
Change By:
Tray Torrance
Today, the puppet agent requires its SSL private keys to be stored on disk, optionally encrypted with a password.On a system with a TPM, and the openssl TPM engine available, the ruby code to retrieve a private key from the TPM is incredibly simple:{noformat}# Load All Available EnginesOpenSSL::Engine.loadtpm = OpenSSL::Engine.by_id('tpm')key = tpm.load_private_key('/path/to/tss_blob.pem'){noformat}(Note that {{tss_blob.pem}} is the intermediate file generated by the supporting tools for the OpenSSL TPM engine)With a simple config flag, the Puppet agent could support loading the private key from the TPM (or, due to the Engine API, any arbitrary OpenSSL) engine. The above code would effectively replace a call to {{wrapped_class#new}} in {{Puppet::SSL::Key}}.Given the niche set of users this likely applies to, it would almost certainly be safe to assume (for now) that users of this feature are comfortable with initializing the TPM out-of-band, and installing the TSS blob at {{$ssldir/private_keys/$ fqdn certname .pem}}, as well as installing the engine, etc.
Add Comment
This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
V
Jira (PUP-7137) Support Using TPM-Backed SSL Private Keys for Puppet Agent
Title: Message Title John Duarte updated an issue Puppet / PUP-7137 Support Using TPM-Backed SSL Private Keys for Puppet Agent Change By: John Duarte Team: Agent & Platform Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7137) Support Using TPM-Backed SSL Private Keys for Puppet Agent
Title: Message Title Paul Were updated an issue Puppet / PUP-7137 Support Using TPM-Backed SSL Private Keys for Puppet Agent We have a new customer DocuSign that has a great interest in using TPM to secure their certificates. They would like to see this feature as part of PE. Can we re-open this request again and evaluate the possibility of delivering the feature? Add Comment This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.172406.1485479489000.19732.1619546280133%40Atlassian.JIRA.
Jira (PUP-7137) Support Using TPM-Backed SSL Private Keys for Puppet Agent
Title: Message Title Josh Cooper commented on PUP-7137 Re: Support Using TPM-Backed SSL Private Keys for Puppet Agent Puppet's agent SSL code has been rewritten, and there is now a Certificate service provider that knows how to load private keys and certs from the file system. It would be fairly easy to override that with a service provider that knows how to load private keys from a TPM module. Although I think this would be useful, we haven't received enough interest to move forward with this, so I'm going to close it. If anyone is interested in taking this on, please reopen. Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.172406.1485479489000.80370.1591395960171%40Atlassian.JIRA.
Jira (PUP-7137) Support Using TPM-Backed SSL Private Keys for Puppet Agent
Title: Message Title Branan Riley updated an issue Puppet / PUP-7137 Support Using TPM-Backed SSL Private Keys for Puppet Agent Change By: Branan Riley Labels: triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7137) Support Using TPM-Backed SSL Private Keys for Puppet Agent
Title: Message Title Branan Riley updated an issue Puppet / PUP-7137 Support Using TPM-Backed SSL Private Keys for Puppet Agent Change By: Branan Riley Labels: help_wanted triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7137) Support Using TPM-Backed SSL Private Keys for Puppet Agent
Title: Message Title Branan Riley commented on PUP-7137 Re: Support Using TPM-Backed SSL Private Keys for Puppet Agent This is something that we are unlikely to do soon, but we will keep it in mind as we clean up our SSL code in the future. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7137) Support Using TPM-Backed SSL Private Keys for Puppet Agent
Title: Message Title Josh Cooper updated an issue Puppet / PUP-7137 Support Using TPM-Backed SSL Private Keys for Puppet Agent Change By: Josh Cooper Sprint: Coremunity Grooming Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7137) Support Using TPM-Backed SSL Private Keys for Puppet Agent
Title: Message Title Josh Cooper updated an issue Puppet / PUP-7137 Support Using TPM-Backed SSL Private Keys for Puppet Agent Change By: Josh Cooper Sprint: Coremunity Grooming Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7137) Support Using TPM-Backed SSL Private Keys for Puppet Agent
Title: Message Title Jorie Tappa updated an issue Puppet / PUP-7137 Support Using TPM-Backed SSL Private Keys for Puppet Agent Change By: Jorie Tappa Sprint: Coremunity Grooming Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.172406.1485479489000.2396.1557765720655%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7137) Support Using TPM-Backed SSL Private Keys for Puppet Agent
Title: Message Title Josh Cooper updated an issue Puppet / PUP-7137 Support Using TPM-Backed SSL Private Keys for Puppet Agent Change By: Josh Cooper Sprint: Coremunity Grooming Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.172406.1485479489000.23946.1563577980372%40Atlassian.JIRA.
