How to keep private keys used by talosctl secure in hardware tokens like Yubikey, Nitrokey PRO2/3, other PKCS11 compatible dongle, etc.?

[a-prokopyev-resume]

Hello,

Does anyone know how to use PKCS11 hardware crypto for mtls authentication in talosctl ?

It seems AI generates hallucination:
https://www.perplexity.ai/search/how-to-use-pkcs11-with-talosct-Pqv2QXiYR8yWOjOWqLPbUg

Google does not return anything about +talos +yubikey :(

May be it is possible to get PKCS11 working with PKI?
https://www.talos.dev/v1.7/talos-guides/howto/cert-management/

[smira]

At the moment, there's no support for it (in talosctl, but you can build your own tooling which supports it), but it might be nice to have something like that.

It would be still of limited use probably, as the cluster admin should have cluster secrets which are more sensitive than a client talosconfig.

So the only case I can see here is giving out access to Talos API to non-privileged users.

Another angle to that is to use Omni which acts as an authentication proxy, and ties Talos/Kubernetes API access to some authentication provider (e.g. Google), so no long-lived secrets on the client machine.