Issue
I am currently working on a customized media center/box product for my employer. It's basically a Raspberry Pi 3b+ running Raspian, configured to auto-update periodically via apt
. The device accesses binaries for proprietary applications via a private, secured apt
repo, using a pre-installed certificate on the device.
Right now, the certificate on the device is set to never expire, but going forward, we'd like to configure the certificate to expire every 4 months. We also plan to deploy a unique certificate per device we ship, so the certs can be revoked (i.e. in case the customer reports the device as stolen).
Is there a way, via apt
or OpenStack/Barbican KMS to:
- Update the certs for apt-repo access on the device periodically.
- Setup key-encryption-keys (KEK) on the device, if we need the device to be able to download sensitive data, such as an in-memory cached copy of customer info.
- Provide a mechanism for a new key to be deployed on the device if the currently-used key has expired (i.e. the user hasn't connected the device to the internet for more than 4 months). Trying to wrap my head around this one, since the device now (in this state) has an expired certificate, and I can't determine how to let it be trusted to pull a new one.
- Allow keys to be tracked, revoked, and de-commissioned.
Thank you.
Solution
Is there a way I could use Barbican to: * Update the certs for apt-repo access on the device periodically.
Barbican used to have an interface to issue certs, but this was removed. Therefore barbican is simply a service to generate and store secrets.
You could use something like certmonger. certmonger is a client side daemon that generates cert requests and submits them to a CA. It then tracks those certs and requests new ones when the certs are going to expire.
- Setup key-encryption-keys (KEK) on the device, if we need the device to be able to download sensitive data, such as an in-memory cached copy of customer info.
To use barbican, you need to be able to authenticate and retrieve something like a keystone token. Once you have that, you can use barbican to generate key encryption keys (which would be stored in the barbican database) and download them to the device using the secret retrieval API.
Do you need/want the KEK's escrowed like this though?
- Provide a mechanism for a new key to be deployed on the device if the currently-used key has expired (i.e. the user hasn't connected the device to the internet for more than 4 months).
Barbican has no mechanism for this. This is client side tooling that would need to be written. You'd need to think about authentication.
- Allow keys to be tracked, revoked, and de-commissioned.
Same as above. Barbican has no mechanism for this.
Answered By - Untha