I think I’ve come across a bug or maybe a slight security concern. During some testing today, we cloned an SD card from a device that is running mender. We then put a new private key on that device on the data partition for mender to use. We then saw an issue today where even though we had replaced the private key and we were using a different mender id, the unit made a successful connection to the server looking like the device from which we cloned the SD card.
This issue was only rectified once we deleted the mender-store file off the SD card.
Does the mender-store file contain copies or references to the private key or other credentials? For instance if someone were to make a copy of the mender-store file and put it on another device, could that device pose as if it were an authenticated device? I’m not entirely sure what the contents of the mender-store file are.