What is the best place to store certificates and keys which are confidential and sensitive?
As I understand LUKS is fine and kernel transparently handles encryption/decryption. Also, the LUKS volume could contain anything and everything like a normal file system.
On the other hand, I came across softhsm from OpenDNSSec which offers similar security as that of a hardware HSM except physical security. Also, moving forward if at all I wish to use TPM or smartcard, I could extend the current codebase using PKCS#11 interface.
Which of these security control is superior for the purposes of storing keys and certificates?
Also currently, the key used for encrypted volume is a function of a couple of critical/important parameters that are unique per device which is used for decrypting the volume. Is it weakening the security by means as one could see how the key is derived is visible in script files(plaintext)? my current hardening for this is by auto-starting the job as root and specifying ACL for the script so that other users would not be able to view the file.