Amazing work - it's about time someone found a neat use case for the TPM chip. Nodes look really good with native IPv6 and everything.
Thank you for the feedback!
Would it be possible in the future to extend the tool to use the TPM in the same diskless way for: - bridges that use obfs4 cert - onion services
Ideally, using a TPM is simple enough, but in practice, I found working with the libraries quite tedious. There are very few examples available, often incomplete or with errors. In fact, I initially wanted to perform all operations using the TPM, but for the first version, I had to scale back.
I was thinking if we could have deterministic (based on a seed word string from a dictionary) onion addresses. Same way like you restore a Bitcoin wallet using a seed phrase (secp256k1 ecdsa key) should be possible with curve25519 (Tor v3 Onion Service), but this requires a cryptographer to test it for entropy and security, it's not something we want to play with. Theoretically, it should be possible. Right now the only way to back-up an onion service identity is to copy-paste the key file somewhere.
Keep in mind that not all TPMs support Ed25519, and you still face the limitation where only primary keys can be saved as persistent in the TPM—which are highly restricted in the types you can use. I recommend checking out the examples in the official library. [0]: https://github.com/parallaxsecond/rust-tss-esapi/tree/main/tss-esapi/example...