...
Option 2: Process security config inside ZedAgent service
Option 1: Process security config during pillar container launch
Current Workflow in Provisioning EVE
...
Currently, the data in transit is secured through TLS 1.2 framework, for configuration/ status/ information exchange between the controller and EVE. The data in transit security for Application instance data traffic will be prerogative of the application software and, is out of scope for the current proposal. The scope of data in transit security policy, will be applicable for the sensitive object level configuration data in transit between the controller software and the end user (downloader) inside EVE, viz., data store credentials. This will be done by using the device cert/key pair. The sensitive configuration for EVE, will be stored in encrypted form (cypher text), till it is ready for use by downloader.
Option 2: Process security config inside ZedAgent service
References
- https://wiki.lfedge.org/display/EVE/Encrypting+Sensitive+Information+at+Rest+at+the+Edge
- The pull request corresponding to this proposal: https://github.com/lf-edge/eve/pull/186