Secure Storage

General Discussions
1

Have someone already integrated mender-client and secure storage?
The idea is to have all mender configuration files (currently stored in /data/mender) stored in a secured partition.
AFAIK, mender-client (and other services) is launched after data.mount. What if a secured but unlocked for read/write partition is mounted in /data?

2

What the purpose of mender-grow-data.service. ?
is that resize required for proper image download?. What if that resize is done after the partition gets encrypted and unlocked for read/write?

3

Hi @sd-ricardo,

The Mender Client should be storage agnostic. So if the /data partition is mounted and accessible once the Client starts, you can employ whatever kind of encryption or security measure that fits your use case.

For the mender-grow-data.service, it is a possibility to have an image which adjusts to a variety of storage sizes. If you know the size of the /data storage area in advance, it is not needed.

Greetz,
Josef

4

Oh, I see!
Thanks!

5

Would it be any proble if I replace the dependency on data.mount to my custom service that encrypt and mount the martition?

  • from this
[Unit]
Description=Mender persistent data dir
After=data.mount
Before=mender-client.service mender-authd.service mender-updated.service
ConditionPathExists=!/data/mender

[Service]
Type=oneshot
User=root
Group=root
ExecStart=/bin/mkdir -p -m 0700 /data/mender

[Install]
WantedBy=mender-client.service mender-authd.service mender-updated.service
  • to this
[Unit]
Description=Mender persistent data dir
After=custom_encrypt_and_mount.service
Before=mender-client.service mender-authd.service mender-updated.service
ConditionPathExists=!/data/mender

[Service]
Type=oneshot
User=root
Group=root
ExecStart=/bin/mkdir -p -m 0700 /data/mender

[Install]
WantedBy=mender-client.service mender-authd.service mender-updated.service
6

Interesting take, @sd-ricardo!

My gut feeling is that, yes, it should work - but in good engineering tradition, I can just say "try and find out":+1:

Let us know then!

Greetz,
Josef

1 Like
7

Thanks a lot!
I’m just finalyzing the fine tunning… so far seems to be working!

1 Like