Critical Description
Key material for IPKI TLS and TSK should be stored on disk securely, even when user data is not encrypted. The symmetric encryption key should be derived from a password using PBKDF2 which is a FIPS-approved KDF. The masters should have a flag that expects a command which outputs the password (similar to --webserver_private_key_password_cmd), that way the users can integrate with a HSM or choose another way to provide the password securely without storing it on a disk.
Generating new keys or encrypting existing key material is outside the scope of this ticket.