09-25, 10:15–10:40 (Europe/Berlin), Main Hall
Meta runs a large production fleet of servers, all making extensive use of TLS for inter-host communication. As part of a general approach of securing keys against exfiltration a project has been undertaken to make use of existing TPM chips to provide secure storage for high privilege private keys. This talk will touch upon the approach taken to allow for the use of a hardware backed key without compromising performance, but mostly focus on the software infrastructure that needed to be built to provision and monitor TPM health across the fleet (a prerequisite for confirmation of viability).
An experienced software developer who has worked on a wide range of infrastructure areas, including networking and storage, Jonathan is currently at Meta working on host integrity. This team works to provide a foundational hardware-focused layer that can be leveraged to ensure hosts are in a trusted state. One of the central components of this is the use of TPMs to provide secure key storage at scale.