I have an embedded Linux system with MQTT through a local broker. Applications act as MQTT clients to the local broker which is set up as a bridge to a cloud broker.
To enable TLS between the local and cloud broker there are options in mosquitto.conf such as bridge_certfile which use keys on the file system, as explained in this question and the Mosquitto documentation.
How can I setup the Mosquitto bridge to use OpenSSL for TLS, to enable the use of a Secure Element for private key storage?
This answer assumes that the secure element is a TPM2 modules.
You can use the
tls_enginemosquitto.conf option to enable the tpmThen use normal
bridge_keyfileto point to the key handle file. you will also need to settls_keyform engineYou might also need the
tls_engine_kpass_sha1option to supply the private key passphrase.I suggest you look at the doc for the
tpm2tssdocs here: https://github.com/tpm2-software/tpm2-tss-engine