KMS/HSM support

[codysoyland]

My team is interested in running a Trillian-based CT Log with a signer in Azure Key Vault using an HSM. It doesn't look like this project has support for KMS systems like Azure Key Vault or GCP/AWS KMS. Is there any plan or prior effort to build KMS support into this project?

[mhutchinson]

Hey @codysoyland, this is a good question. I'm fairly confident that this is something that is not currently being worked on, but is something we would likely accept a PR to add functionality for. Is this something you'd be interested in writing an integration for?

[codysoyland]

Is this something you'd be interested in writing an integration for?

Thanks for the quick reply! I will investigate the level of effort to see if we have the capacity to build it and update here if we are able to get started on it.

[ChevronTango]

I too would be interested in AWS KMS support for CT log and Trillian. Having certificates stored alongside the deployment we consider to be undesirable from a security perspective so KMS is much preferred.