Have someone already integrated mender-client and secure storage?
The idea is to have all mender configuration files (currently stored in /data/mender) stored in a secured partition.
AFAIK, mender-client (and other services) is launched after data.mount. What if a secured but unlocked for read/write partition is mounted in /data?
What the purpose of mender-grow-data.service. ?
is that resize required for proper image download?. What if that resize is done after the partition gets encrypted and unlocked for read/write?
Hi @sd-ricardo,
The Mender Client should be storage agnostic. So if the /data partition is mounted and accessible once the Client starts, you can employ whatever kind of encryption or security measure that fits your use case.
For the mender-grow-data.service, it is a possibility to have an image which adjusts to a variety of storage sizes. If you know the size of the /data storage area in advance, it is not needed.
Greetz,
Josef
Oh, I see!
Thanks!
Would it be any proble if I replace the dependency on data.mount to my custom service that encrypt and mount the martition?
- from this
[Unit]
Description=Mender persistent data dir
After=data.mount
Before=mender-client.service mender-authd.service mender-updated.service
ConditionPathExists=!/data/mender
[Service]
Type=oneshot
User=root
Group=root
ExecStart=/bin/mkdir -p -m 0700 /data/mender
[Install]
WantedBy=mender-client.service mender-authd.service mender-updated.service
- to this
[Unit]
Description=Mender persistent data dir
After=custom_encrypt_and_mount.service
Before=mender-client.service mender-authd.service mender-updated.service
ConditionPathExists=!/data/mender
[Service]
Type=oneshot
User=root
Group=root
ExecStart=/bin/mkdir -p -m 0700 /data/mender
[Install]
WantedBy=mender-client.service mender-authd.service mender-updated.service
Interesting take, @sd-ricardo!
My gut feeling is that, yes, it should work - but in good engineering tradition, I can just say "try and find out"
Let us know then!
Greetz,
Josef
1 Like
Thanks a lot!
I’m just finalyzing the fine tunning… so far seems to be working!
1 Like
Hi @sd-ricardo,
I realize this is quite an old thread, but I thought it might be worth a shot 
.
I am also looking into securing our application data. I got the impression that using LUKS + TPM has not been achieved before (I am working on a debian family custom image, not Yocto), so I am looking into alternatives. Encrypting the data partition seems like the next best thing to me, thus I wanted to ask if you were able to get this working and if you would want to share some pointers on how you went about this, what encryption tools you used, …
Thanks in advance!
Hi @JonathanC,
For securing application data, I have recently shown a solution with LUKS+TPM. It might need a bit of adjusting for Debian, but I’m pretty sure it should be straightforward: https://www.youtube.com/live/Fy_F0D9cW0o?si=r1mpNPV_2KTtM-Gr
Greetz,
Josef
1 Like
Hi @TheYoctoJester,
This was the route I went down, so your video helped me speed that up a lot! I only had to make some minor changes to the script to get it to encrypt the /data partition that mender-convert creates. I added the files to the build through overlays and got the service to run at boot by making the symbolic link to /etc/systemd/system/multi-user.target.wants/ ahead of time also in the overlay (basically what systemctl start <service> does).
In the end it took me more than a week to get it working on my machine because there was some weirdness with secure boot. I had TPM and secure boot enabled in the BIOS and mokutil --sb-state showed Secure Boot enabled but the TPM pcr 7 would still fail (silently as far as I can tell). In the end resetting the secure boot state to setup in the bios and re-enabling it after flashing the OS image fixed it getting me past the password prompt at boot automatically.
Thanks again!
1 Like