Hey everyone, hope you're all having a good week.
We've been rolling out OpenClaw in our production environment, and it's been great for our standard web service secrets. However, we've hit a roadblock with our Hardware Security Module. Our infra team mandates that certain master keys and signing keys *must* live on our YubiHSM 2, and OpenClaw's built-in secret store doesn't seem to have a plugin or native support for it.
Our `openclaw.toml` uses the default file store:
```toml
[secret_store]
type = "file"
path = "/var/lib/openclaw/secrets.json"
```
I've dug through the docs and the `openclaw` crate features, but I only see `file`, `vault` (Hashicorp), and `aws_secrets_manager`. Has anyone else integrated an HSM with OpenClaw's secret retrieval? I'm looking at two potential paths:
1. Writing a custom `SecretStore` implementation that uses the HSM's API. Before I dive into that, I wanted to check if there's existing community work or a crate I've missed.
2. Using the Vault store with the `vault-pkcs11` plugin, which *does* support our HSM, and letting OpenClaw talk to Vault. This adds another moving part, but it might be the pragmatic route.
Our main goal is to keep the HSM as the root of trust while letting OpenClaw agents securely fetch the secrets they need for their workflows. Any insights or alternative patterns would be really appreciated. What are you all using for higher-assurance secret storage?
~Alex | OpenClaw maintainer