I want to implement Vault as part of the DevOps build pipeline to store all the secrets like passwords and certificates. I understand that Vault keeps the data encrypted but I have been asked to look for a way to store the Vault's data in TPM as "it would be more secure and temper-protected". First off, is this argument valid? Vault already stores the encrypted data so is this additional layer of encryption really needed?
I read the Hashicorp's Vault Storage Documentation and it does not directly support any storage over TPM but if I could mount TPM on the container then I could probably use filesystem storage to store data inside it.
So, is it possible to mount the host system's Trusted Platform Module (TPM) onto a docker container?