Rotate keys and certificates for IoT

Hello, I’m looking for best practices to rotate keys and certificates for IoT during run time (not build time).

I am using AWS IoT, so my device will communicate to the AWS MQTT server. For my device to be an AWS MQTT client, I need 3 secret files: a certificate file, a private key file, and a CA certificate file. And then, in case the keys get compromised, or if I just need to rotate the keys, I’m trying to come up with the best way to replace them.

The first idea that comes to mind is to pass base64 encoded strings to the device using environment or device service variables. But the MQTT client needs the certificate file, private key file, and CA certificate file to be actual files, not strings in memory. So then I would need a process that polls environment variables and writes them to files when they change, and then have my MQTT client restart so it can read the new keys. That seems like too much for environment variables.

My next idea was instead of 3 environment vars containing file contents, I could use one environment var which was a private auth key string to my own API REST server. When you connect to that API server and pass the correct auth key, it downloads the 3 files locally and restarts my MQTT client.

But I can’t be the first person to have this problem, so there must be a general purpose solution to rotate IoT keys and key files on devices. I found some github repos that kind of do this, but they were all a few years old and not fully baked. Vault might work for this, but I’m not sure if a device would have a problem unsealing it or not.

Are there built-in features of Balena that help in rotating keys on devices?

Hello, environment variables are the way to go I think, as the simplest option. When env vars change, the application is automatically restasrted, which means the entry script of your container could be picking up the env vars and creating files out of them.