Secure Storage

sd-ricardo · December 19, 2023, 3:03pm

Have someone already integrated mender-client and secure storage?
The idea is to have all mender configuration files (currently stored in /data/mender) stored in a secured partition.
AFAIK, mender-client (and other services) is launched after data.mount. What if a secured but unlocked for read/write partition is mounted in /data?

sd-ricardo · December 19, 2023, 3:19pm

What the purpose of mender-grow-data.service. ?
is that resize required for proper image download?. What if that resize is done after the partition gets encrypted and unlocked for read/write?

TheYoctoJester · December 19, 2023, 3:30pm

Hi @sd-ricardo,

The Mender Client should be storage agnostic. So if the /data partition is mounted and accessible once the Client starts, you can employ whatever kind of encryption or security measure that fits your use case.

For the mender-grow-data.service, it is a possibility to have an image which adjusts to a variety of storage sizes. If you know the size of the /data storage area in advance, it is not needed.

Greetz,
Josef

sd-ricardo · December 19, 2023, 4:28pm

Oh, I see!
Thanks!

sd-ricardo · December 20, 2023, 12:48pm

Would it be any proble if I replace the dependency on data.mount to my custom service that encrypt and mount the martition?

from this

[Unit]
Description=Mender persistent data dir
After=data.mount
Before=mender-client.service mender-authd.service mender-updated.service
ConditionPathExists=!/data/mender

[Service]
Type=oneshot
User=root
Group=root
ExecStart=/bin/mkdir -p -m 0700 /data/mender

[Install]
WantedBy=mender-client.service mender-authd.service mender-updated.service

to this

[Unit]
Description=Mender persistent data dir
After=custom_encrypt_and_mount.service
Before=mender-client.service mender-authd.service mender-updated.service
ConditionPathExists=!/data/mender

[Service]
Type=oneshot
User=root
Group=root
ExecStart=/bin/mkdir -p -m 0700 /data/mender

[Install]
WantedBy=mender-client.service mender-authd.service mender-updated.service

TheYoctoJester · December 21, 2023, 2:26pm

Interesting take, @sd-ricardo!

My gut feeling is that, yes, it should work - but in good engineering tradition, I can just say "try and find out"

Let us know then!

Greetz,
Josef

sd-ricardo · December 21, 2023, 2:49pm

Thanks a lot!
I’m just finalyzing the fine tunning… so far seems to be working!

Topic		Replies	Views
Mender-data-grow on dunfell General Discussions	3	395	January 26, 2021
Where does mender-client save the incoming download? General Discussions	4	416	October 7, 2021
Purpose of "/data/mender/mender-store" and "/data/mender/mender-store-lock"? General Discussions yocto , sumo , nxp , standalone	1	1118	May 22, 2019
Whether '/data' have any fallback/backup in standalone mode? General Discussions yocto , sumo , nxp	3	477	May 28, 2019
Mender data partition and read-only operation General Discussions	4	1328	March 5, 2020

Secure Storage

Related topics