"Sealing" secrets with FreeIPA?

Recently we've been researching how to set up TPM on our Linux hosts: when they boot, the grub parameters and kernel are checksummed, and if the checksum is as expected the TPM module unseals a key used for decrypting the root filesystem and the machine boots. If there's any tampering, the key isn't unsealed and the computer doesn't boot. Nice and secure. In a similar vein, I'd like to store secrets (e.g. the keys for TLS certificates, maybe even the TLS certificates themselves) on our FreeIPA server, and only deliver them to the host if the host is authenticated. The intent is to supply the certificates to Nginx (or some other web server) without storing them on disk (ramdisk is ok), as described on the nginx website (Google 'Secure Distribution of SSL Private Keys with NGINX'). I also found an article (Google 'Encrypt and decrypt a file using SSH keys') on how to use an ssh public key to encrypt a file and it made me wonder if the same thing could be done here, leveraging the security of Kerberos and FreeIPA. In short, is there a way to do this with existing ipa commands, authenticating the operations by using the host's /etc/krb5.keytab file so it can be done in an unattended way? Thanks! ---- EDIT: To be more concrete, I want to retrieve a string that contains a LetsEncrypt-signed wildcard TLS Certificate and its encrypted key (which I can then load into an Nginx server) without having a human decrypt it. * Step one: have the host authenticate automatically to the LDAP server (this is optional if the string is encrypted). It already does, but I'm not sure how to utilize that for my application. * Step two: get the string that's stored in LDAP (perhaps in jpegPhoto or audio, or if stored in a host object then some other attribute) * Step three: decrypt the string (one way is by using an ssh keypair in an unexpected way: https://www.bjornjohansen.com/encrypt-file-using-ssh-key . Perhaps Kerberos can be (ab)used in a similar way?) * Step four: put the string into the right place; the nginx blog post suggested a file on a tempfs filesystem, although I'd prefer a Kernel keychain. * Step five: start Nginx that's been configured as described in https://www.nginx.com/blog/secure-distribution-ssl-private-keys-nginx/ Since FreeIPA already works with certificates (see ipa help cert) I hoped it wouldn't be too much of a stretch to work with arbitrary certificates (versus FreeIPA-generated ones). Edit^2: It turns out that FreeIPA has a feature for handling secrets like this, called Vaults . No need to stuff data into unrelated LDAP properties, no need to hack together some encryption, and it can link secrets to service principals, users, or groups! It's all in the help text (ipa help vault), but since it's near the end of the alphabet I'd never read that far. They're rivalling AWS for "most features crammed into a single CLI" bragging rights. :-)