Interaction of components on the server side
AosCloud functionality must be secure. This means all connections between services and sensitive data must be processed using the safest approach.
The list of data and objects used by AosCloud:
- Private keys used for TLS connections (Nginx, Postgres, etc.)
- Private keys used for data signing (service packages, update bundles, layers)
- Private keys used for data decryption (units' data received during provisioning (TPM master password)
- Different tokens
- Web session encryption
- Access to the cloud resources (CDN, BLOB storage, managing RabbitMQ instances)
- Keys for generating short-living tokens for download from storages
- Other tokens
Implementation requirements:
- Securely storing secrets (encrypted)
- Support role/policy-based access for each token or group of tokens
- Support backup/restore
- Support replication
Solution
The chosen tool for storing secrets is Heshicorp Vault. It meets all the requirements described above.
All secrets (tokens) are logically grouped by services:
- Backend
- RabbitMQ
- Nginx
- Postgres
Also, AosCloud widely uses private keys and certificates. All private keys must be strictly protected to avoid leaks.
The official Nginx website describes two standard approaches:
- Locally storing private keys in encrypted form and use a password from the vault to protect files
- Using external HSM (hardware security modules) to implement cryptographic operations outside of Nginx (or any other service) context/container
On stage 1, we implement the approach with locally stored private keys protected by a password.
On stage 2, we will use HSM (for staging and testing environment we will use SoftHSM).