Skip to main content
P
PranavSangar
Visitor II
November 25, 2025
Question

using STPM4RasPI / STSAFE private key for Python MQTT mTLS client on Raspberry Pi

  • November 25, 2025
  • 1 reply
  • 96 views
I hope you are well. I am working at C-DAC Bangalore, and I need guidance on using an ST-SAFE(STPM4RasPI) secure element / TPM module with a Python-based MQTT mTLS client on a Raspberry Pi.
 
A short summary of our setup and goal:
 
  • MQTT broker is already configured for mutual TLS (mTLS).
     
  • Client device: Raspberry Pi .
     
  • Goal: build a Python-based MQTT client that uses the private key stored inside the ST TPM/STSAFE module during the TLS handshake (so the private key never leaves the secure element).
     
Specifically, we would like to know:
 
  1. Supported approaches / APIs: Which approaches or libraries do you recommend to make a Python TLS client use the TPM-held private key? (For example: ST library/SDK, or other middleware.)
     
  2. Python ecosystem support: Are there recommended Python libraries or examples for MQTT clients (e.g., paho-mqtt or other clients) that can be configured to use a TPM-backed key for TLS?
 
We would greatly appreciate sample code snippets or a short how-to showing a Python MQTT client using a TPM-backed key during TLS.
    This topic has been closed for replies.

    1 reply

    B
    Benjamin BARATTE
    ST Employee
    December 17, 2025

    Hi @PranavSangar,

     

    Thanks for your interest in STSAFE-TPM solution.

     

    One point to high is that the STSAFE-TPM is implementing TPM2.0 specification from TCG.

    Therefore, STSAFE-TPM is compatible with TPM2.0 API.

    That being said, to use a TPM in a Linux environment you will use several layers to achieve your goal.

    In your context, the MQTT client relies on crypto library like OpenSSL.

     

    In such case, you can check how to configure OpenSSL provider to use TPM (https://github.com/tpm2-software/tpm2-openssl).

     

    To use the OpenSSL provider, you can configure it with openssl.cnf in the context of your MQTT client. In that case, the cryptography will be managed by the TPM provider.

     

    Unfortunately, I don't have code snippet to provide you. 

    I have seen that paho-mqtt is using OpenSSL. This could be an interesting setup to explore.

     

    Best Regards,

     

    Benjamin

     

     

    P
    PranavSangarAuthor
    Visitor II
    December 19, 2025

    Hello,

    Thank you for the suggestion.

    I have already configured OpenSSL to use the TPM2 provider via openssl.cnf, so that cryptographic operations are handled by the TPM provider.

    Below is the openssl.cnf file currently in use:

     

    openssl_conf = openssl_init

    [openssl_init]
    providers = provider_sect
    alg_section = algorithm_sect

    [provider_sect]
    default = default_sect
    tpm2 = tpm2_sect

    [default_sect]
    activate = 1

    [tpm2_sect]
    module = /usr/local/lib/ossl-modules/tpm2.so
    activate = 1

    [algorithm_sect]

     

    With this configuration:

    • OpenSSL successfully loads the tpm2 provider

    • Key operations work correctly when using TPM context files

    However, the issue I am facing is specifically with using a TPM persistent handle (for example 0x81010001) in my MQTT client configuration.

    When I try to reference the persistent handle (e.g. -key handle:0x81010001 or equivalent in the MQTT client), OpenSSL is not able to use the key, even though:

    • The handle exists in TPM (tpm2_getcap handles-persistent)

    • The same key works when referenced via a context file

    So the problem is not provider loading, but persistent handle usage with OpenSSL + TPM2 provider in an MQTT/mTLS flow.

    Could you please clarify:

    • Whether persistent handles are officially supported by the OpenSSL TPM2 provider for TLS client authentication

    • Or if only TPM context files are expected to be used with OpenSSL-based MQTT clients

    Any guidance or reference documentation would be very helpful.

    Thank you.

    Terms & ConditionsAccessibility statement