On Fri, 2021-05-21 at 09:17 -0700, James Bottomley wrote:
> I'm not so sure we want to encourage that.  The persistent handle space
> is really limited in TPM 2.0.  We just ran into a real world situation
> where the TPM ran out after a handful.  It was an application that
> loaded files into persistent handles ("because it's easier") and then
> made use of them ... we're currently fixing it not to use persistent
> handles because it doesn't need to.

Makes sense. We should fix StrongSwan then, because they're doing the
same thing.

https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin

Of course, if we document the file format and make it ubiquitously
supported (including making an OpenSSL *provider* to replace the
obsolete ENGINEs, and chasing it into GnuTLS in 
https://gitlab.com/gnutls/gnutls/-/issues/594 ), that will go a long
way towards encouraging applications to use keys wrapped in files
instead of NVRAM...