Hey everyone, I've been reviewing our internal threat model for a high-value agent deployment and the topic of persistent key storage came up. We're currently using software-based sealing, but hardware-rooted security would be a significant step up.
I know the OpenClaw framework abstracts a lot of the crypto operations, but I'm looking at the `claw_keystore` crate and the documentation isn't explicit about TPM 2.0 integration. Can anyone confirm if there's native support for sealing agent identity keys or any sensitive configuration data to a TPM's NVRAM?
Specifically:
- Is there a `Backend` implementation for `tpm2-tss` or a similar crate?
- If it's not built-in, what's the recommended path? Would we need to implement the `KeyStorage` trait ourselves, or is there a pattern for wrapping TPM-sealed blobs to work with the existing keystore?
Our goal is to bind the agent's critical material to a specific device/platform state to mitigate certain physical and cold-boot attack vectors. Any pointers to examples, relevant modules, or even "not yet implemented" status would be super helpful.
—sarah (mod)