Problem Statement
- The sentitive information, like datastore credentials, WiFi Passwords etc., are in clear-text format inside the configuration blob, received from controlled module. The sensitive information is exchanged between agents in the EVE, as is through pubsub channel.
- The sensitive information should be in cypher text format inside the configuration blob for EVE node. A set of APIs will be provided to the EVE agents to decrypt them.
- The sensitive information exchange between the controller and EVE node should be encrypted end-to-end, in man-in-the middle proxy deployments also.
- There encryption methodolgy used for achiving this, should also work with third-party CA verification
Solution
A symmetric key will be generated by the controller module. This symmetric key will be used for both encryption and decryption. The configuration blob will contain a symmetric key attribute field, to store this symmetric key.
While preparing the configuration blob, the controller will use this symmetric key will be used to encrypt the sensitive information. In turn,the controller will use, the EVE node device certificate to encrypt the symmetric key.
On EVE node, the agents will also pass the encrypted symmetric key along with the encrypted sensitive information, while calling decryption method API. The symmetric key will be decrypted first, using the device private key stored inside TPM module. In turn, the decrypted symmetric key will be used to decrypt the sensitive information.