NAME¶
security-secrets-setup — Creates an on-device public-key infrastructure (PKI) to secure microservice secret management
SYNOPSIS¶
DESCRIPTION¶
The Vault secret management component of EdgeX Foundry requires TLS encryption of secrets over the wire via a pre-created PKI. security-secrets-setup is responsible for creating a certificate authority and any needed TLS leaf certificates in order to secure the EdgeX security services. security-secrets-setup supports several modes of operation as defined in the OPTIONS section.
As the PKI is security-sensitive, this tool takes a number of precautions to safeguard the PKI:
- The PKI can be deployed to transient storage to address potential attacks to the PKI at-rest.
- The PKI is deployed such that each service has its own assets folder, which is amenable to security controls imposed by container runtimes such as mandatory access controls or file system namespaces.
- The private key of the certificate authority (CA) is shredded (securely erased) prior to caching or deployment to block issuance of new CA descendants (this is most relevant in caching mode).
Modes of operation¶
- generate
- Causes a PKI to be generated afresh every time and deployed. Typically, this will be whenever the framework is started.
- cache
- Causes a PKI to be generated exactly once and then copied to a designated cache location for future use. The PKI is then deployed from the cached location.
- import
- This option is similar to
cache
in that it deploys a PKI from CacheDir to DeployDir, but it forces an error if CacheDir is empty instead of triggering PKI generation. This enables usage models for deploying a pre-populated PKI such as a Kong certificate signed by an external certificate authority or TLS keys signed by an offline enterprise certificate authority.
OPTIONS¶
- -h, –help
- Display help text
- –confdir <confdir>
- Look in this directory for configuration.toml instead.
- -p, –profile <name>
- Indicate configuration profile other than default
FILES¶
pkisetup-vault.json, pkisetup-kong.json¶
Configuration files for certificate parameters. These files conform to the following schema:
{
"create_new_rootca": "true|false",
"working_dir": "./config",
"pki_setup_dir": "pki",
"dump_config": "true",
"key_scheme": {
"dump_keys": "false",
"rsa": "false",
"rsa_key_size": "4096",
"ec": "true",
"ec_curve": "384"
},
"x509_root_ca_parameters": {
"ca_name": "EdgeXFoundryCA",
"ca_c": "US",
"ca_st": "CA",
"ca_l": "San Francisco",
"ca_o": "EdgeXFoundry"
},
"x509_tls_server_parameters": {
"tls_host": "edgex-vault|edgex-kong",
"tls_domain": "local",
"tls_c": "US",
"tls_st": "CA",
"tls_l": "San Francisco",
"tls_o": "Kong"
}
}
When generating or caching,
the utility hard-codes the names of the configuration files
and always processes pkisetup-vault.json
first
and pkisetup-kong.json
second.
This will be configurable in the future; at that time
the basename of the file would correspond to a directory under DeployDir.
configuration.toml¶
Configuration file for configurable directories that the options use. This file conforms to the following schema:
[SecretsSetup]
WorkDir = "/path/to/temp/files"
CacheDir = "/path/to/cached-or-importing/pki"
DeployDir = "/path/to/deployed/pki"
WorkDir¶
A work area (preferably on a ramdisk) to place working files during certificate generation.
If not supplied, temporary files will be generated to a subdirectory
(/edgex/security-secrets-setup
) of $XDG_RUNTIME_DIR
.
If $XDG_RUNTIME_DIR
is undefined, uses /tmp
instead.
DeployDir¶
Points to the base directory for the final deployment location of the PKI.
If not specified, defaults to /run/edgex/secrets/
.
For example, if DeployDir was set to /edgex
and the service name was
edgex-vault
then the following files would be placed in
/edgex/edgex-vault/
:
server.crt
for a PEM-encoded end-entity TLS certificate andserver.key
for the corresponding private key.security-secrets-setup.complete
is a sentinel file created after assets are deployed
CacheDir¶
Points to a base directory to hold the cached PKI.
Identical in structure to that created in DeployDir.
Defaults to /etc/edgex/pki
if not specified.
The PKI is deployed from here when the tool is run in
caching or importing.
NOTES¶
As security-secrets-setup is a helper utility to ensure that a PKI is created on first launch, it is intended that security-secrets-setup is always invoked with the same command.
- Changing from
cache
togenerate
will cause the cache to be ignored when deploying a PKI and changing it back will cause a reversion to a stale CA. - Changing from
cache
toimport
mode of operation is not noticeable by the tool: the PKI that is in the cache will be the one deployed.
To force regeneration of the PKI cache after the first launch, the PKI cache must be manually cleaned. The easiest way in Docker would be to delete the Docker volume holding the cached PKI.