I have a signing key that I need to safely store.

What I used to do, was store to it directly in the Hardware available on that same host (TPM2.0, using pkcs11 API). Now I am move my services to Kubernetes, I have tried googling "Kubernetes TPM" but everything I have found was securing Kubernetes with a remote TPM (Via a Key Management System), not on the host itself. Is using the hardware located on the node an anti-pattern (Because I seeing very little about using the node TPM with Kubernetes)? What is thing that is most commonly done to protect those signing keys (aside from KMS)?

Thanks!

CodePudding user response：

• Run your kubernetes cluster
• Deploy Hashicorp Vault as one of your first applications.
• Then configure it according to your needs. i.e. https://www.vaultproject.io/docs/configuration/seal/pkcs11

In this era, APIs are the way.