Page History

...

1. Currently sensitive configuration blocks for an EVE-node, not all-inclusive, are data store credentials, WLAN credentials, cloud-init (containing Azure/AWS credentials) etc.
2. EVE controller Controller posts these sensitive  configuration, in clear-text format, as part of the configuration blob to EVE nodeNode. The sensitive configuration blocks are exchanged between agents inside the EVE nodeNode, as is through pubsub channel.

...

As part of data at rest/transition encryption initiative, for EVE, the sensitive configuration block should be in encrypted format during the transit from EVE controller Controller and EVE nodeNode, and while at rest(pubsub channel storage) inside EVE nodeNode, until the end-user consumer uses them. 

...

1. Every sensitive configuration block will contain a set of attributes storing the encryption configuration (symmetric key value in cypher text, key size and encryption algorithm .e.g., "keySize": "256" bits, "algorithm": "AES-256" etc.) that was used to encrypt the sensitive configuration block credential attributes.
2. EVE Controller will generate a symmetric key for every sensitive configuration block. Alternatively, EVE controller Controller can use the same key for all the sensitive configuration blocks.
3. EVE Controller will use symmetric Key(s) to encrypt these above mentioned sensitive configuration blocks, using standard encryption methods ( AES-256 etc.) using standard software crypto tools ( e.g. openssl or, go crypto etc.)
4. EVE Controller will wrap/seal the  symmetric key(s) using device certificate of the EVE node, for each sensitive configuration block, before posting to the EVE-Node.
5. These symmetric key(s) generation/rotation can be driven by user defined policies, which is beyond the scope of this document. EVE Controller can also generate these symmetric keys, while constructing the configuration blob for an EVE nodeNode, and discard them after that, by not storing them inside any database.
6. Inside EVE Node, the sensitive configuration stays in encrypted format on disk (i.e., pubsub), and will only be decrypted on demand by the end consumer.
7. The end consumer module (e.g. downloader), will unwrap/unseal the symmetric key with the help of TPM-Mgr (using standard go-tpm APIs), and construct the symmetric key first, and then use the symmetric key to decrypt the sensitive configuration block, using software crypto tools (e.g. openssl or go crypto etc.)

...