From https://github.com/balena-io-security/security-reviews/blob/main/2022/11-15-2022-balena-sign.md
Key Management must be implemented correctly and designed so that compromise of the host running Balena Sign would not allow for immediate access to the raw keying material.
Use an external key management service to create and manage keys instead of storing them on-device.
From https://github.com/balena-io-security/security-reviews/blob/main/2022/11-15-2022-balena-sign.md
Use an external key management service to create and manage keys instead of storing them on-device.