Credentials Storage Location

Hi there,

I’ve just completed the process of moving our docker data directory to encrypted storage and I’d like to do the same for the credentials used by aktualizr and docker. Would you be able to point me in the right direction please?

If I make a bind mount such that /var/sota points to encrypted storage, would that be sufficient?

Best regards,
Lloyd

Hi, I’m the Toradex AI Assistant. The Toradex Support team will follow up with you shortly!

Did you like my answer?

:+1: :-1:


Hello Lloyd,

Thank you for reaching out with your question. To securely store credentials for aktualizr and Docker on encrypted storage, you can follow a similar approach to what you did with your Docker data. Here’s a step-by-step guide:

  1. Identify Credential Storage Locations:

    • For Docker, credentials are typically stored in ~/.docker/config.json.
    • For aktualizr, credentials and configuration files are usually located in /etc/sota/conf.d/ or similar directories.
  2. Encrypt the Storage:

    • You can use a tool like cryptsetup to create an encrypted partition or file-based storage. This can be achieved by setting up a LUKS-encrypted partition or using a loopback file with encryption.
  3. Move Credentials to Encrypted Storage:

    • Once the encrypted storage is set up, move the credential files to this location.
    • Update any configuration files or environment variables to point to the new location of these credentials.
  4. Automate Mounting and Access:

    • Ensure that the encrypted storage is mounted at boot time or when needed, using scripts or systemd services.
    • Consider using a secure method to unlock the encrypted storage, such as a hardware security module (HSM) or a secure key management service.
  5. Test the Setup:

    • Verify that both Docker and aktualizr can access their credentials from the new location and that the encryption is functioning as expected.

By following these steps, you can enhance the security of your credentials on Torizon. Always ensure that your encryption keys are stored securely and that access to the encrypted storage is tightly controlled.

I hope this helps you achieve your goal. If you have any more questions, feel free to ask.

Best regards,
Toradex AI Assistant

Please, also check if these links can help you solve your problem:

Use a credential helper to handle docker authentication on Torizon OS.

Greetings @lblackbeard,

Let me try to provide some advice/guidance on this use-case of yours.

First of all let’s address Aktualizr. Off the top of my head I see 2 options here.

Option 1: As you already know Aktualizr uses /var/sota as the location to store and dump it’s data. This location is in fact configurable. As you can see here I believe nearly every path for Aktualizr can be configured: aktualizr/docs/ota-client-guide/modules/ROOT/pages/aktualizr-config-options.adoc at toradex-master · toradex/aktualizr · GitHub

So in theory you could change the configuration to point to your encrypted storage location. You’ll also need to change the configurations found in secondaries.json so all the secondary update types (docker-compose, bootloader, etc) also use the new location you want.

Option 2: If you don’t want to change the default configuration then I guess you could try to use symlinks, or bind mounts as you already proposed so that /var/sota links to/points to your encrypted location.

Please keep in mind these are rough suggestions and I have not tested either thoroughly.

One more point to consider here. A lot of our Aktualizr adjacent tooling assumes the data directory is located at /var/sota. For example the service that performs the auto-provisioning to Torizon Cloud assumes /var/sota. These may need to be adjusted/changed depending on how you handle this.

Now speaking about the docker credentials. First of all, when you say “docker credentials” I assume you mean the credentials for docker login. Please correct me if my assumption is wrong here.

On TorizonOS we change the default Docker configuration location to /etc/docker as seen here: meta-toradex-torizon/recipes-core/systemd/systemd-conf/system.conf-docker at scarthgap-7.x.y · torizon/meta-toradex-torizon · GitHub

This only applies to processes started by systemd like docker-compose.service. If you run docker login as the torizon user on the command-line then it will use the normal default location. That said I imagine when your device is on the field it will be systemd processes/services doing these actions anyways.

Similar idea to Aktualizr you could either change the configuration so DOCKER_CONFIG just points to your encrypted storage or use a symlink/bind-mount to similar effect. Keep in mind whether you want the Docker credentials to be update-able or not. One reason we configured the location to /etc/docker is so that the location would be managed by OSTree and could be updated if needed by users.

Anyways, those are my initial thoughts and impressions with regards to your use-case here. I hope it was of some help to your goal. Let me know if you have any questions about anything I described.

Best Regards,
Jeremias

Excellent, thanks so much! I’ll see where this leads me

Let me know if you have any further questions. Also it would be appreciated if you could share any of your own findings or results. Would be good to know for future reference.

Best Regards,
Jeremias