Improve security of secrets on disk #164
Comments
|
@vpetersson Who should encrypt them (agent or server)? Using which key? Why can't we let server encrypt credentials and let agent query that key (storing it in tmpfs for offline use) to use it for decryption of credentials on SD card? Also how do we encrypt credentials: symmetrically or asymmetrically? |
That's why I mentioned about the TPM. If you store the key on the SD card, it's somewhat moot. If you on the other hand use a TPM, you would also need the actual TPM hardware to decode it.
Asymmetrical using public/private keys. |
One of my concerns with storing secrets (e.g. API keys, passwords etc) on disk is that anyone could simply pull out the SD card and copy them. While we provide an easy way to rotate these keys, it's still subpar.
After brainstorming with @sublimino a bit on this, we came up with a fairly clean solution.
If we for a second assume that we have a TPM on the device, and the WoTT certificate lives in this, we could then encrypt these credentials using the certificate. That would mean that the stored secret on the SD card is encrypted.
This of course means that no other application could read back the actual credential, and subsequently render it useless. To solve this, we can turn to tmpfs. If we add a functionality to the agent that simply decrypts the secrets from disk[1] and store it in a tmpfs partition where the application can then read it from.
Because tmpfs is just stored in RAM, if someone were to power off the device and try cloning the SD card, they would only be able to see the encrypted file.
In a scenario where the keys reside on the SD card, this would of course just make it slightly more inconvenient for an attacker to read the secrets.
[1] We discussed retrieving them directly from the cloud interface, but that wouldn't work if the device is say temporarily offline.
The text was updated successfully, but these errors were encountered: