Private keys in (v)TPMs?

[nwf-msr]

Hello and thanks for OctoKit.

We're using OctoKit's JS incarnation to drive a GitHub App for managing ephemeral runners and we'd like to have our GitHub App's private key not available in plain-text to the application. Although the key is stored under encryption at rest, when it's loaded into the App's backend code, it's at risk of being accidentally disclosed. Instead, we would much rather have the key loaded into our host machine's vTPM and used at a distance over PKCS#11 or similar.

It looks like auth-app uses universal-github-app-jwt, which ultimately uses the jsonwebtoken package for its JWT signing. The use of jsonwebtoken is similar to another request I filed with the Azure JS SDK team, as are potential process-spawning or socket-based connections, including the possible use of the OpenSSH agent protocol for signing JWTs. (See the links in this follow-up comment in particular.)

In any case, being able to bind our keys to machines' TPMs would make me feel a lot better about our security posture!
Thanks for your time.

[wolfy1339]

Sounds like a very interesting use case.
Thanks for the write up!

Unfortunately, there isn't an active maintainer for this package at the moment. GitHub is hiring for a new team to handle the Octokit libraries.

[nwf-msr]

If node.js accepts my proposed API or something like it, then I believe there would be no need for any changes to OctoKit, which would be quite nice.