modified config and created enrolment service and device control service

load-iot-key.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+set -e
+
+CPU_SERIAL=$(awk '/Serial/ {print $3}' /proc/cpuinfo)
+KEK=$(echo -n "$CPU_SERIAL" | \
+      openssl dgst -sha256 -hmac "server-provided-salt" | \
+      awk '{print $2}')
+
+# Decrypt into tmpfs
+mkdir -p /run/iot
+openssl enc -d -aes-256-gcm -pbkdf2 \
+  -pass pass:$KEK \
+  -in /etc/iot/keys/device.key.enc \
+  -out /run/iot/device.key
+
+# Load into kernel keyring (root-only key)
+keyctl padd user iot-client-key @s < /run/iot/device.key
+
+# Securely erase plaintext
+shred -u /run/iot/device.key