Hi John, > and I conclude from this example, that private key stored in TPM is > loaded to program memory the same way as if it was stored in a file (log > message: "...charon-systemd[21165]: loaded RSA private key from token"). > Am I correct?
No, that's only the generic log message that you'll see for any private key loaded by the configuration backend, whether that private key is actually loaded into memory or it's just a reference to a key (as is the case here). Private keys on PKCS#11 tokens or in a TPM can't be accessed directly, so they never end up in memory. Regards, Tobias