Mender-store file on cloned SD card

I think I’ve come across a bug or maybe a slight security concern. During some testing today, we cloned an SD card from a device that is running mender. We then put a new private key on that device on the data partition for mender to use. We then saw an issue today where even though we had replaced the private key and we were using a different mender id, the unit made a successful connection to the server looking like the device from which we cloned the SD card.
This issue was only rectified once we deleted the mender-store file off the SD card.

Does the mender-store file contain copies or references to the private key or other credentials? For instance if someone were to make a copy of the mender-store file and put it on another device, could that device pose as if it were an authenticated device? I’m not entirely sure what the contents of the mender-store file are.

This is expected. The client stored a JWT token in the database that is used instead of authenticating every time. I believe it expires after 7 days.


Thanks for the information. This is good to know.