Secrets Management
In this article we discuss the encryption and management of edge apps' parameters that need to be kept secret. For simplicity we'll call them "secrets".

Node key

During the node registration procedure every node generates a public-private key pair (PubK_N, K_N) and sends the public key to the backend which stores it together with the node ID. The private key K_N never leaves the node. The purpose of the node keys is only to facilitate the secure distribution of the organization private key to the nodes.

Organization key

When the user initiates the generation of the organization key, a public-private key pair (PubK, K) is generated in the weeve web application. The private key K is only presented locally in the user's browser to save somewhere securely. This is shown only once, and if lost, cannot be recovered. The public key PubK is sent to the backend to be stored there in the organization profile.

Organization key distribution

To onboard a node to use secrets, the user enters the organization's private key K into the browser. The application will download the public keys PubK_N of the nodes participating in the distribution and encrypt K locally with n different PubK_N, thus resulting in n different messages enc(K, PubK_N). Those messages will be sent to the backend which will cache them and forward them to the corresponding nodes.
At the node, the message enc(K, PubK_N) will be decrypted with this nodes private key K_N and the resulting organization key K will be stored in the part of RAM that belongs to the weeve agent. This way the organization's private key K is never stored in plaintext either on nodes or in the backend.
If a node loses K (e.g. in case of a restart) it can request the cached message enc(K, PubK_N) to be delivered again.
In case that the key K is compromised the user can generate a new one and repeat the distribution procedure.
With this, the platform is ready to manage secrets that are only known to the organization, not the platform administrator or anyone with access to the backend's database.

Using secrets

When a user creates a new secret in weeve's web app, the app pulls the corresponding organization public key PubK from the backend and encrypts the secret value V with this public key in the browser creating enc(V, PubK). The encrypted value is then sent to the backend, where it is stored together with it's label to be used in edge apps' manifests.
When creating an edge application, the user can choose to use secrets for any text field parameters. The backend will then put the right enc(V, PubK) according to the labels in the manifest.
When deployed on a node, the node will be able to use K from RAM to decrypt enc(V, PubK) and provide the plaintext value V to the edge app. The value V will also only be stored in RAM and handled according to the edge app's logic.
Copy link
On this page