In this article we discuss the encryption and management of edge apps' parameters that need to be kept secret. For simplicity we'll call them "secrets".
During the node registration procedure every node generates a public-private key pair (
K_N) and sends the public key to the backend which stores it together with the node ID. The private key
K_Nnever leaves the node. The purpose of the node keys is only to facilitate the secure distribution of the organization's secret key to the nodes.
When the user initiates the generation of the organization key, a symmetric key K is generated randomly in the weeve web application. The key
Kis only presented locally in the user's browser to be saved somewhere securely. This is shown only once, and if lost, cannot be recovered.
To onboard a node to use secrets, the user enters the organization's secret key
Kinto the browser. The application will download the public keys
PubK_Nof the nodes participating in the distribution and encrypt
Klocally with n different
PubK_N, thus resulting in n different messages
K_encrypted_N = enc(K, PubK_N). Those messages will be sent to the backend which will cache them and forward them to the corresponding nodes.
At the node, the message
enc(K, PubK_N)will be decrypted with this nodes private key
K_Nand the resulting organization key
Kwill be stored in the part of RAM that belongs to the weeve agent. This way the organization's secret key
Kis never stored in plaintext either on nodes or in the backend.
If a node loses
K(e.g. in case of a restart) it can request the cached message
enc(K, PubK_N)to be delivered again.
In case that the key
Kis compromised the user can generate a new one and repeat the distribution procedure.
With this, the platform is ready to manage secrets that are only known to the organization, not the platform administrator or anyone with access to the backend's database.
When a user creates a new secret in weeve's web app, they are prompted to enter the organization's key K. It is used by the web app to encrypt the secret value
Vwith a symmetric encryption scheme in the browser creating
enc(V, K). The encrypted value is then sent to the backend, where it is stored together with it's label to be used in edge apps' manifests.
When creating an edge application, the user can choose to use secrets for any text field parameters. The backend will then put the right
enc(V, K)according to the labels in the manifest.
When deployed on a node, the node will be able to use
Kfrom RAM to decrypt
enc(V, K)and provide the plaintext value
Vto the edge app. The value
Vwill also only be stored in RAM and handled according to the edge app's logic.