HSM/secure element use cases

Hi,

I’m trying to understand the use cases for using a secure element and how that maps to the Certificates and Keys section of the docs.

In the Security section the docs state:

Currently, Mender supports hardware security engines for SSL handshake, mTLS, and authentication request signing

Under Certificates and Keys docs, if I’m understand it correctly there are three components that reside on the server, one on the client, and a separate artifact signing key if used for verification of updates.

The server side:
API Gateway - server.crt/private.key pair self signed or provided by a CA
User Admin - private.key which contains a public key component; used by the server to sign and verify JWTs
Device Auth - private.key which contains a public key component; used by the server to sign and verify JTWs

The client side:
Mender Client - ECC or RSA keypair (default) used to authenticate client with with server during the initial authorization handshake; good use case for HSM storage of private.key

Unless a user is on an enterprise plan and wants mTLS, then there is only that ONE private key that would be stored in the HSM - the Mender Client authentication key (mender-agent.pem)?

SSL Handshake and mTLS are really one in the same, correct?

Or, is there some other private key on the client side that gets automatically generated by Linux/openSSL for the SSL Handshake, even if mTLS is not used?

Thanks, Matt.

Hi @mattwood2000

If you set no private-key in your configuration on the client, a key will be generated for you automatically, if this is what you are asking?

Also @joelguittet

Hello @mattwood2000

I have personally used a secure element (ATECC608) to perform authentication of the device. Basically private key from the SE is used to sign payloads of the mender client. Public key is provided as well and will be displayed on the UI. Context was different (MCU) but use case is the same.

I should also point an interesting tutorial: Securing IoT software deployments with Mender and NXP EdgeLock™ SE050 I have not tried this but looks closed to your topics/questions and may help you particularly if you look at openssl integration.

Joel

EDIT: I see this post is quite old, but at least there is an answer/pointer for other people looking the topic.

Hi,

Just reviving this conversation again to get some clarity.

Currently, from what I understand from the discussion so far is -

1. Mender Client supports offloading the TLS and storing the mender-private.pem inside an HSM.

• Securing IoT software deployments with Mender and NXP EdgeLock™ SE050 talks about this, and I was able to follow the instructions similarly with another HSM vendor, and it worked as expected. From what I understood, even softHSM would work as well.

My question is about securely storing the server side keys and offloading server side connections to an HSM as well.

Is this currently supported at all ? And if it is, is it only on Mender Enterprise ?

Hello @DangerZone

thank you for your interest in Mender.
currently, the hardware security is only supported in the Mender Client (both version 3 and 4). I am interested in the use-case for introducing such a change in the Mender Server. Do you have anything particular in mind? How would you solve the distributed nature of the k8s deployments?

best regards,
peter

P.S.
@joelguittet thanks for reading and recommending the post about the NXP case

Thank you @peter for confirming.

I am still pretty new to this and was exploring about how I can secure the keys on the server side as well. I haven’t really delved deep into understanding the challenges that might arise from pursuing this but since I saw this thread which kind of summarized the doubt that I had at the top of my head, I thought I’ll seek some guidance first.

@DangerZone do not worry. thanks for being interested. if you have a cool use case I am here to listen!

have a good day,
peter