I have to admit that I don't know a thing about TPM. Like is it also available in virtual environments like AWS is providing? How could this be automated? You don't want to enter a passphrase every time a server (re)boots.
Would love to hear if anybody successfully used that.
I'm no Amazon EC2 expert, but a quick google exposed a few keen souls who tried to use vTPM and failed. This would suggest that Amazon does not yet support vTPM.
Re-entering passphrases
========================
Well, unless the machine is permissioned by default you will need to give a fresh instance new authorization. Permissioning by default is the same security problem you're trying to avoid though... just shifted. Your overall goal is to have the credentials inaccessible to sniffing, right ?
I guess you could set up some form of ssh-agent handshake to make the process less manual.
XenServer (The product from Citrix) or Xen 4.3+ support vTPM. Not sure which version of Xen that Amazon uses, but if/when they upgrade to 4.3 it should have built-in support for vTPM operations.
sniffing isn't the main issue I'm trying to avoid, it's accidental exposure. I.e. minimising the risk that during normal operations the secrets get exposed somehow.
Neither files nor env variables.
Most chipsets have a rather unused TPM function, and it should be possible to have developers and processes hook into that.
Perhaps using tmptool ? On master process startup ask user for passphrase, and use that to query the TPM stored values ?
http://manpages.courier-mta.org/htmlman1/tpmtool.1.html