Encrypted SoftwareUpdatable v2 artifacts support #147
Description
Using encryption to protect the artifacts managed by a software update process is an important security feature that must be supported to enable secure and trusted edge solutions.
The SoftwareUpdatable v2 Vorto model does no provide a predefined manner/API of such an encrypted artifacts management but defines a generic enough metadata per SoftwareModuleAction that can be utilized to support this use case. Given that a SoftwareModuleAction encompasses the actual artifacts to be downloaded/installed/updated, its metadata can be used to attach the needed decryption data to be applied for all the artifacts the action and module refers to.
Utilizing such metadata for the desired use cases can be done in the following manner:
- A secure enough algorithm is applied for the transferred (de)encryption data - e.g. AES-256 GCM
- The key material is made available as base 64 encoded values in the generic metadata dictionary with appropriate distinctive keys, i.e.
- AES256.key
- AES256.iv
E.g.:
"metaData": {
"AES256.key": "AxS5kSOpU2BEsHotpy67nP4lndr/io4XmI9GqO/DFuo=",
"AES256.iv": "G0kMVI5lOqqlfgTt"
}
The approach must be applied in an aligned manner for all Kanto components that provide a SoftwareUpdatabale v2 support.
Tasks: