Meta runs a large production fleet of servers, all making extensive use of TLS for inter-host communication. As part of a general approach of securing keys against exfiltration a project has been undertaken to make use of existing TPM chips to provide secure storage for high privilege private keys. This talk will touch upon the approach taken to allow for the use of a hardware backed key without compromising performance, but mostly focus on the software infrastructure that needed to be built to provision and monitor TPM health across the fleet (a prerequisite for confirmation of viability).
Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/