I have seen a number of posts addressing security, but it is not conclusive to me that the following two issues are addressed. Could people share or discuss what they think about it?
Mender artifacts are signed, but not encrypted: This means that any attacker that manages to get hold of an artifact, maybe to perform usb update in emergency case, can open up the payload and take the content.
Well, thinking ahead:
In the case of a full rootfs update, there might be some keys involved although that should be minimized anyway.
For specific file updates, that might be not a problem, but of course it would be great to ensure data integrity. For that reason, I figured that if you pack the artifact into an encrypted file, that already helps.
Encryption would be great. Although it might take some time to work out the process and get any changes upstream. So depending on your product timeline you may need to not include keys/sensitive data in the payload for now.
Ultimately, secrets like keys should not be stored on the file system, for a myriad of reasons, not the least of which you have cited here. However, even given an encrypted artifact, a process like this presumes the secrets are the same for all nodes the artifact is being deployed to; which, second only to no security, is the bane of IoT’s future.
I would much rather see effort in the road map targeting PKCS#11/HSM support - but then Im biased, as all our devices include security chips that we are not yet able to utilize with Mender.