Hello,
We have a requirement to ensure all private keys are stored within AWS Key Management System (KMS) and the only way to interact with these is via the KMS APIs that are provided. There is no way to extract the private key and therefore it can't be exposed to any single party. However, this prevents a problem when trying to sign a DFU package using nrfutil, as we can't simply pass the private_key.pem file into the command line with `nrfutil pkg generate --key-file private_key.pem`
I'm intrigued to understand if others have had similar security requirements, and how they have overcome them?
I think it is a legitimate request to keep private keys inside a key vault or key management system, but I'm not sure how nrfutil can be modified or used to then interact with AWS KMS or even Azure Key Vault.
There are some deprecated python based pc_nrfutil tools available on github, and it would be possible to reverse these and find a way to interact with keyvault for the signing process, but this would be unsupported I expect and would require some time to reverse and understand the process.
Is there another way? Any suggestions welcomed!