...
This module in EVE, will be responsible for periodic device policy fetch from controller and enforce them on the device. More details, are specified in [Ref.1].
Option 2: Process security config inside ZedAgent Service
In this approach, security policies are pushed along with other config, and parsed by zedagent. But zedagent will prioritise handling of security config over the rest of the config. Any file system interaction to setup/unlock the vault directory will have to be done according to the security config received, and then signal others that vault directory is now ready for use. Other services can listen to this to perform any task they need to do on top of the vault directory. Zedagent would interact with Vault Manager service for implementing file system encryption requirements.
Break-up of the proposed security config (Applicable to both the Approaches)
The policies are grouped into two major categories
- Data At Rest Policies
- Data In Transit Policies (mostly a placeholder for now, added for future use)
Data at Rest Policy
Data at rest security is applicable for the Application Instance mutable business sensitive data and storage for EVE sensitive configuration information.Application instance mutable business sensitive data will be stored in a reserved partition/directory and the security policy configuration will be applied on it.
...
- encryption algorithm
- data handling policy
- data recovery policy
- key rotation policy
- key Information
Encryption Algorithm
This specifies, the encryption algorithm to be used for data at rest security. [Ref. 1].
- NONE
- AES256
- ADIANTUM
Data handling policy
Data handling policy will define, sensitive storage data handling, on encryption algorithm change,
...
some user defined policy in the controller module.
Data Recovery Policy
When an EVE node faces network outage, it will keep operating, using the last known policy configuration.
...
The user has to ensure that, proper configuration is stored in the USB Stick or inputs them through to Keyboard.
Key rotation policy
This will define the key rotation activation. The key rotation poilcy will policy will be in the controller and will not be intimated to EVE.
Keys
This consists of set of Keys information( max. 2). For a key rotation scheme, a maximum of two keys will be intimated to the EVE node. Controller will store and publish, the last published key along with the most current key. This will cover cases, when the EVE node is not able to communicate with controller.
Data in transit policy (Mostly a placeholder for now, details added for brevity)
Currently, the data in transit is secured through TLS 1.2 framework, for configuration/ status/ information exchange between the controller and EVE. The data in transit security for Application instance data traffic will be prerogative of the application software and, is out of scope for the current proposal. The scope of data in transit security policy, will be applicable for the sensitive object level configuration data in transit between the controller software and the end user (downloader) inside EVE, viz., data store credentials. This will be done by using the device cert/key pair. The sensitive configuration for EVE, will be stored in encrypted form (cypher text), till it is ready for use by downloader.
...
References
- https://wiki.lfedge.org/display/EVE/Encrypting+Sensitive+Information+at+Rest+at+the+Edge
- The pull request corresponding to this proposal: https://github.com/lf-edge/eve/pull/186