The key_file of nats-server is not encrypted!

[z00407087]

The key_file of nats-server is not encrypted! It is unsafe. Can we encrypt the key_file like the server password.

[philpennock]

Related: #2130

[philpennock]

@z00407087 In order to design this right, we need more feedback from people who want to use encrypted private keys on disk, on how they want to handle server start-up.

What integration would you like to see?

1. nats-server asking for a decryption password at start-up, and hanging until one is provided?
2. PKCS11 integration?
3. Using a platform secret store to retrieve the private key, or a decryption passphrase for the private key?
4. Something else? What?

What fits with your operational and infosec requirements?

[philpennock]

The cosign project's issue on this general topic is worth reading: sigstore/cosign#396

In particular, the CNCF Sandbox Project, Parsec, seems worth looking at more closely; listed on https://www.cncf.io/sandbox-projects/, GitHub page: https://github.com/parallaxsecond/parsec

The Go integration example in their docs is currently a TODO; adding non-Go to the compile-time requirements for nats-server is probably a non-starter, so we'd be dependent upon a Go implementation of the client library and this would have to remain an optional feature, so that we don't require everyone to set up the independent parsec service.