Versions Compared

Old Version 56

changes.mady.by.user Hari C S

Saved on

compared with

New Version 57

changes.mady.by.user Hari C S

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Break-up of the proposed Vault Config

  • Data handling policy
  • Key Information

...

  • Identity of the Vault under consideration
  • Vault Security Policy
  • Key Information for the Vault

Vault Identifier

UUID  - Unique Id generated by EVC for the Vault

Name  - String describing the Vault as given by User

Version of the Configuration - To take care of config format change in the future

Vault Security Policy

Data handling policy will define operational mode of the vault:

  • Retain
  • Destroy

Retain: This is the normal mode of operation.

Destroy: This indicates Vault Manager to destroy the given Vault. (Probably due to a security breach detected by EVC)

...

  • Lock 
  • Unlock
  • Change Key

Key Information

If controller is configured to use EVC generated keys for the Vault, this section will carry the key information to be used for the associated vault

Fscrypt provides a way to change the master key associated with an encrypted folder, without re-encrypting the contents. This is possible due to the protectors and policies constructs used by fscrypt (master key protects the protector, and protector in turn protects the final key used for encryption). Please see here for more details.

We can use this fscrypt feature to periodically rotate the master keys used for a given vault. The key rotation policy will be in the controller and will not be intimated to EVE.  For a key rotation scheme, a maximum of two keys will be intimated to the EVE node. Controller will store and publish, the last published key along with the most current key. This will cover cases, when the EVE node is not able to communicate with controller. If there is no key rotation configured, both old and new key fields in the configuration will be the same.

Association of Edge Container with the Vault

App Instance configuration will carry this information  - Whether the App is protected by End-to-End Security, and if yes, what is the Vault to associate this App Instance with.  Zedmanager will consume this configuration, and co-ordinate between Vault manager and Domain Manager to make sure the required Vault is ready before launch of the User Application.

Attestation Challenge by EVC 

...