How to properly secure certificates and keys?

Mosquitto library uses certificates and keys for connection, this is great. But as far as I see it requires paths to the respective files. This means the security data is stored in the file system. This means if system is stolen and booted, these certificates/keys can be also stolen, even if they are located on encrypted volume (which must be mounted to provide access for mosquitto_tls_set()).

What are the recommended options to protect certificate/key data if system is stolen? Apart from setting user password/restricting console usage? Any way supplying security data to the mosquitto client library without file system in the middle?

You can optionally use your own openssl SSL_CTX instance instead of the one the library creates, this gives you complete control of what is loaded into that instance, and how.

/* Provide my own SSL_CTX: */
mosquitto_void_option(mosq, MOSQ_OPT_SSL_CTX, my_ssl_ctx);
/* Don't use any of the default settings, in particular don't load certs: */
mosquitto_int_option(mosq, MOSQ_OPT_SSL_CTX_WITH_DEFAULTS, 0);

Does that help?