Security and Authentication Mechanisms in Mender (Open Source)

Board Integrations
, ,
1

Hello everyone,

I am currently integrating Mender (open source version) into an embedded Linux project, and I would like to better understand the security mechanisms, especially those related to authentication between the device and the server.

I have read through the official documentation, but some points remain unclear to me. I would therefore like to clarify the following aspects regarding how security and authentication work in the open source edition:

1. Device authentication by the server

  • How does the server verify the identity of a device during onboarding and during subsequent communications?
  • What is the exact role of the device’s private key (mender-agent.pem) in this process?
  • Is this key used only during enrollment, or is it also used to sign later requests?

2. Server authentication by the device

  • How does the device ensure that it is communicating with the correct Mender server?
  • What is the purpose of the server.crt file? Is it the server certificate, a CA certificate, or a certificate used specifically for TLS validation?
  • At what point in the installation or build process is this file distributed to the device?

3. Role of TLS

  • TLS obviously encrypts the communication, but is it also used for mutual authentication in the open source version?
  • Are there any additional mechanisms beyond TLS that reinforce authentication?

4. Token management

  • I have seen that Mender uses a JWT token on the device side.

    • When exactly is this token obtained?
    • Where is it stored on the device?
    • Is it used for all requests, or only for certain specific operations?
    • Does it have a defined expiration or automatic rotation?

In summary, I am trying to fully understand the chain of trust and authentication between the server and the client in the open source version of Mender: key generation and usage, certificate distribution, the role of TLS, and how JWT tokens are handled.

If available, are there any diagrams or architectural overviews that illustrate this whole security and authentication workflow?

Thank you in advance for your clarifications !