Keys and certificates generated and used by EVE
Introduction
In order to satisfy all of the security requirements discussed in SECURITY, and work with the constraints of trusted platform modules (TPMs) when it comes to different key usage, EVE requires several different keys and associated certificates.
In addition, to handle the multi-level security for communication with the controller (TLS as a base, then object signing to prevent content-inspecting enterprise proxies from modifying configuration etc, then object encryption to prevent such proxies from seeing confidential configuration information) there are several certificates needed from the controller.
Keys and certificates generated on edge node
If EVE is running on hardware with a trusted platform module (TPM), then these key pairs are generated by the TPM, and the certificates are stored both in the filesystem and in the case of the key device certificate, also stored in the TPM's NVRAM. If there is no TPM then the private keys are also stored in the file system.
| Key/cert | Purpose | Type | Location | Reference |
|---|---|---|---|---|
| Device key | Prove the identity of the device | ECC (P-256) | TPM or /config/device.key.pem | Identity of EVE |
| Device cert | Secure identity of the device | ECC (P-256) | /config/device.cert.pem | Identity of EVE |
| ECDH key | For API object encryption | ECC (P-256) | TPM or /persist/certs/ecdh.key.pem | Config object encryption |
| ECDH cert | For API object encryption | ECC (P-256) | /persist/certs/ecdh.cert.pem | Config object encryption |
| Attestation key | Sign the attestation | ECC (P-256) | TPM or /persist/certs/attest.cert.pem | Measured Boot and Remote Attestation |
| Attestation cert | Sign the attestation | ECC (P-256) | /persist/certs/attest.cert.pem | Measured Boot and Remote Attestation |
| Onboarding key | Used initially for onboarding | ECC (P-256) | /config/onboard.key.pem | Registration |
| Onboarding cert | Used initially for onboarding | ECC (P-256) | /config/onboard.cert.pem | Registration |
| Endorsement cert | Needed for some use of vTPM | Depends on TPM | Generated by TPM | Identity of EVE |
| Vault Encryption | Lock/unlock vault | Sealed to TPM PCRs | Encrypted Data Store | |
| Vault Encryption | Backup for upgrades | Encrypted and sent to controller | Encrypted Data Store |
Controller certificates used by EVE
| Certificate | Purpose | Type | Location | Reference |
|---|---|---|---|---|
| Root of trust | Validate legitimate controller | Any | /config/root-certificate.pem | Trusting controller |
| Signing cert | Signing of API messages | Any | /persist/certs/server-signing-cert.pem | Populated using the EVE API. See SIGNING |
| ECDH cert | Api object encryption | ECC (P-256) | Only in memory | Config object encryption |
Other certificates
| Certificate | Purpose | Type | Location |
|---|---|---|---|
| TLS root of trust | Standard TLS | Any | /config/v2tlsbaseroot-certificates.pem |