-2

I am trying to build OTA(over the air) update mechanism with docker and watchtower. I am newbie at linux and Docker. I think I will use the technic shown here. which I think bitbucket ssh key stored in the host(rpi) and with this technic I will copy that keys in to container. What I am wondering is; because of my rpi devices will be at hands of my customers.

  1. Have I understand the concept right by "bitbucket ssh key stored in the host(rpi) and with this technic I will copy that keys in to container."
  2. if 1. is will happen that way. is my ssh key secure? which it will be stored in each device I will deliver the customers.
beratuslu
  • 1,101
  • 3
  • 14
  • 27

1 Answers1

0

The SSH private key will need to be on each rpi, and the corresponding public key will need to be added to the Bitbucket repo(s).

If the private key is compromised - which is possible, if you're distributing it everywhere - then the potential damage will depend on where you've put the public key. You can mitigate that potential damage with a couple of things:

  1. Only use this keypair for this specific purpose.
  2. Add the public key as an "access key" on just the repo(s) that need it. Access keys are read-only in Bitbucket, so if/when the private key is compromised then the attacker will be able to read (but not modify) the code.
  3. If you don't have a lot of customers who'll be using this specific thing, consider creating a different key for each one (so you can revoke access for specific customers or devices as you need to). This could get complicated to maintain, though.
Jim Redmond
  • 4,139
  • 1
  • 14
  • 18