To Ori's point, for such a factotum-on-a-stick to be as secure as possible (the main point), you would need hardware support like encrypted storage, trusted execution env, hardware root of trust attestations all the way to the manufacturer, etc.
This level of security is crucial for trustworthy IoT (e.g. trusting over-the-air updates), which is why some SoC's like Nordicsemi NRF52, 53, 54 and STMicroelectronics STM32L5, H5 have these capabilities. Arm's Platform Security Architecture framework is a good resource for considering all the ways that secrets can be compromised and how the processor architecture can help mitigate them. If doing embedded development isn't a showstopper, I think working out how to embed factotum in a suitable device and figuring out the mechanics of integrating it into the user environment would be a useful experiment. There are inexpensive dev kits for NRF and STM soc. On Tue, Dec 30, 2025 at 4:14 PM <[email protected]> wrote: > > y'all are reinventing a TPM. > > Quoth sirjofri via 9fans <[email protected]>: > > 30.12.2025 19:22:13 Dworkin Muller <[email protected]>: > > > Alternatively, just set it up as a secret store, like is done with > > > terminals. Not quite as elegant/cool, but perhaps more practical. > > > > In general, you're right. However the big difference (and why I think > > there's a solid use case for a factotum key) is that the machine that runs > > factotum has to be secure. If you have a terminal with its own factotum > > program, that's fine. The program is on a trusted machine. However, if your > > terminal boots off a fs, you have to trust the factotum program on that fs > > to not steal your keys when executed. If you run factotum in a remote > > session, you have to trust the server. If you have a single enclosed > > factotum key and no way for the host to download the secrets directly, then > > you can use it even on an untrusted machine. > > > > Sure, you still need a way to edit the keys. Maybe a specific mount access > > using an additional secret for editing or something similar could be > > invented. > > > > In any case, I think for a fully trusted environment you probably don't > > need a factotum key. I think the whole factotum and secstore stuff is built > > around this level of trust (you trust the grid). If you consider a public > > grid with multiple users and people who sign in as guests, I'd prefer to > > not have my secrets uploaded into the memory of a machine that I can't > > control myself, if possible. And people do set up grids like that. That's > > why I welcome experiments into that direction. Not to replace the current > > status quo, but to extend it in a compatible way for different use cases. > > > > sirjofri ------------------------------------------ 9fans: 9fans Permalink: https://9fans.topicbox.com/groups/9fans/Ta60752663ff08448-M49d8a21810679e15bff7ef46 Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
