3

I have a pair of IoT Edge modules, one which saves data and one which uploads data. I would like to encrypt the data while it is at rest on the device.

There are many ways I could go about encrypting this data, but I would like to know what the most idiomatic way to do this within an Azure IoT Edge module is.

I know that the secure daemon uses the TPM for a few things, and all of our devices have TPM 2.0 chips, we're using the TPM endorsement keys with the DPS.

I'm wondering if there's a way for the secure daemon to encrypt generic blobs of data for us using the TPM, or if we are expected to try to communicate with the TPM from inside the container somehow to do this?

More Info: This is the secure daemon: https://github.com/Azure/iotedge/tree/master/edgelet it is an iot edge specific component which acts as a bootstrapper to fire up the iot edge agent module which then fires up the other modules. the daemon runs under systemd and all other modules are docker containers as described here https://learn.microsoft.com/en-us/azure/iot-edge/about-iot-edge
The runtime is described as "Maintains Azure IoT Edge security standards on the device." so I was wondering if there was some kind of easy way to just give it some data to encrypt, and have that encrypted.

Since the secure daemon is already interfacing with the TPM for device registration etc. I was wondering if there was some way to ask the secure daemon to encrypt data, or if there was some other idiomatic solution specific to the iot edge runtime.

Hammatt
  • 71
  • 2
  • 7
  • Which system is running on your device that have TPM 2.0, Linux or windows? Here is a [topic](https://stackoverflow.com/questions/28862767/how-to-encrypt-bytes-using-the-tpm-trusted-platform-module) about how to encrypt bytes using the TPM on linux. – Michael Xu Jul 23 '18 at 08:09
  • It's running on linux. Can I access the TPM like this from within an edge module (docker container)? – Hammatt Jul 23 '18 at 08:38
  • This question is way too broad as is. It is not clear what the daemon is, what the container is, what you have in place so far, and what you're trying to accomplish. Of course you can encrypt data with the TPM, but more info is needed to provide a more detailed answer. – mnistic Jul 23 '18 at 16:20
  • I've edited with some more information. My question is less about weather its possible, i'm aware it's possible. but I'm wondering what the most Idiomatic way to do this within Azure IoT Edge is. Thanks. – Hammatt Jul 23 '18 at 19:57
  • Have you looked at this document(https://learn.microsoft.com/en-us/azure/iot-edge/how-to-auto-provision-simulated-device-linux)? Enven though it is about simulated TPM, it gives IoT Edge access to the TPM.Hope that is helpful for you. – Michael Xu Jul 24 '18 at 07:28

1 Answers1

1

My Question has been answered here https://github.com/Azure/iotedge/issues/60 The idiomatic way to encrypt/decrypt data in an iot edge module at the moment seems to be to communicate with the daemon via a unix socket (see env var IOTEDGE_WORKLOADURI)

Hammatt
  • 71
  • 2
  • 7