Secure Store - encryption at rest on your devices (such as a Raspberry Pi).

A new experiment that would be great to hear some feedback on: Secure Store

TLDR: Secure Store is like a YubiKey for your network, providing encryption and remote decryption of files/folders and environment variables for entire IoT fleets.

This is an experimental project for encrypting content on Balena IoT devices (such as the Raspberry Pi) to avoid your content being accessed when devices are lost or stolen. Content can include both folders/files and environment variables, such as encrypted API keys stored in your Balena Cloud.

The difficultly with implementing this functionality on devices like the Raspberry Pi, is your device must be given a password to decrypt content. If you keep that password on the device, it is no longer secure. If you have to go around and enter the password on all your devices, you remove the ability to manage devices remotely. Secure Store aims to overcome this by serving the secure key (your password to unlock the device) from a Store Server device, which the Store Client devices must be able to see and access to decrypt the content stored on them. Example use cases include:

  1. Run your Secure Store Clients on your network. Plug your Secure Store Server in to the same network which will allow your Clients to access the key and decrypt the content store on them. Then remove the Secure Store Server from the network again. In this scenario, as soon as power is removed from the Client device there is only encrypted content available to the person who took your device, and no access to the Secure Server to decrypt it again.
  2. Run the Store Client and Store Servers on the same network, ensuring your network is secured either by protecting the Ethernet accessability or secure WiFi passwords. A compromised device when taken off your network will no longer be able to access the Store Server and get the key required to decrypt the data. For a user to decrypt the data, they would need to extract the WiFi password from the device and the mTLS keys used to communicate with the server, go back to your network, connect to your network and then request the decryption key from your server using the extracted keys, significantly reducing the likelihood of a compromise.
  3. Run your Store Server on a remote server online and apply an IP blocklist/whitelist to the host. Your online server will only accept requests from certain IP addresses (for example the IP address of your public network), which means devices will only decrypt data if they are requesting the key from inside your own network.
  4. Encrypt the content locally, and use something distinct about the operating environment as your password. For example, you could use a hash of your WiFi configuration to only decrypt when connected to the internet, or a hash of a certain part of a file unique to the OS. By compiling the requirements for the hash into the binary, it mitigates hackers attempts to access your content.

If you identify other use cases please do let me know, and would be great as always to hear any feedback.

There is further conversation on the topic that may be of interest too if you would like to find out more: TPM / full disk encryption (x86_64 generic) - #21 by maggie0002