Versions Compared

Old Version 19

changes.mady.by.user Hari C S

Saved on

compared with

New Version 20

changes.mady.by.user Hari C S

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This consists of  set of Keys information( max. 2). For a key rotation scheme, a maximum of two keys will be intimated to the EVE. Controller will store and publish, the last published key along with the most current key. This will cover cases, when EVE not able to communicate with controller.

Data in transit policy (Mostly a placeholder for now, details added for brevity)

The data in transit security policy, will be applicable for the sensitive configuration data in transit between the controller software and the end user (downloader) inside EVE.

Data in transit security, is applicable for controller and EVE Module data exchange. The data in transit security for Application instance data traffic will be prerogative of the application software and, is out of scope for the current proposal.Currently, TLS 1.2 is used for data in transit security, for configuration/status/information exchange between the controller and EVE.Additionally, sensitive object level configuration information, viz. data store credentials,  will be secured end-to-end between the controller and downloader(inside EVE), by using the device cert/key pair.Data at rest security is applicable for the Application Instance mutable business sensitive data and  storage for EVE sensitive configuration information.Application instance mutable business sensitive data will be stored in a reserved partition/directory and the security policy configuration will be applied on it.The sensitive configuration for EVE, will be stored in encrypted form (cypher text), till it is ready for use by the end user. viz., data store access credentials.Currently, the data in transit is secured through TLS 1.2 framework,  between the controller and EVE. The data in transit security policy, will be applicable for the sensitive configuration data in transit between the controller software and the end user (downloader) inside EVE.

References

  1. https://wiki.lfedge.org/display/EVE/Encrypting+Sensitive+Information+at+Rest+at+the+Edge
  2. The pull request corresponding to this proposal: https://github.com/lf-edge/eve/pull/186