Did you know that Linux has a full-featured keystore ready to be used by any application or service it runs? Applications can securely store and share credentials, secrets and cryptographic keys, sign and encrypt data, negotiate a common encryption key - all this by never touching a single byte of the underlying cryptographic material.

This is especially useful in the post-heartbleed and cloud-native environments, where services authenticate and securely talk to each other using some kind of credentials. But if a network-facing service also has some secret in its process address space, it sets itself up for a security failure as any potential out-of-bounds memory access vulnerability may allow the secret to be leaked. Imagine a world where you don’t have to run an SSH agent just to protect your SSH keys.

On top of keeping your secrets secret Linux keystore nicely integrates with specialized security hardware, like TPMs and HSMs and may provide a single entry point on the system for applications to obtain their secrets. Thus Linux keystore is a very useful building block for a corporate key management system.