...
In this approach, security policies are pushed along with other config (by /api/v1/eddgedev/config), and parsed by zedagent. But zedagent will prioritise handling of security config over the rest of the config. Any file system interaction to setup/unlock the vault directory will have to be done according to the security config received, and then signal others that vault directory is now ready for use. Other services can listen to this to perform any task they need to do on top of the vault directory. Zedagent would interact with Vault Manager service for implementing file system encryption requirements.
...
It is a mix of Option 1 and Option 2. It uses the same REST API that is used for pulling the device configuration (/api/v1/eddgedev/config). But Vault Manager will extract security config parts during pillar launch, to set up any filesystem encryption etc. Once ZedAgent takes over, any further change in security config can be driven from zedAgent, by passing the configuration to Vault Manager through pubsub mechanism.
...