Published
July 19, 2024

Portable KMS: edge computing security for remote devices

Pedro Oliveira
Pedro Oliveira
Senior Systems Engineer
Dimitris Karakasilis
Dimitris Karakasilis
Open Source Principal Software Engineer
How to secure unattended edge devices?

How do you secure unattended edge devices?

Imagine you are deploying a fleet of autonomous robots. There’s a whole world of internet of things (IoT) use cases, but for our purposes the application is irrelevant. They might be inspecting an oil pipeline, surveying a border for security, or laser-weeding a field of crops.

To perform these tasks, your hard-working robots might be running some image recognition algorithms and AI models which you spent months building and training. 

There is no guarantee that there will be internet connectivity where these devices operate, and there are times during the day (or night) when the robots are not under direct supervision (they are autonomous, right?). The attack surface is wide open, and a security breach would mean your unique AI intellectual property is compromised.

How do you make sure your important and sensitive data won't become prey for anyone bold enough to steal one of your edge computing devices? What security measures can you put in place?

Securing access controls at scale

An obvious solution to this problem is full disk encryption. In layman's terms, the data written on the disks of the IoT devices are cryptographically encrypted using a passphrase. 

To decrypt the disk and allow the machines to boot, one has to provide the passphrase in some form. 

Remember, we’re operating in a disconnected environment here, so there’s no ability to authenticate via cloud based or network security. 

You’re left with a few options: either type the passcode in directly, plug in a USB key (e.g. a YubiKey), or use the machine’s embedded security component, the trusted platform module (TPM) chip. 

None of these are perfect options:

  • Typing passphrases is error prone, time-consuming and requires visual feedback — you need to plug in a screen and keyboard. And it definitely doesn’t scale to tens or hundreds of machines, which may need authenticating daily.
  • Plugging in USB sticks may be quicker, but each should be unique to each device, making it an operational nightmare and expensive to scale — plus you need each device to have an open and accessible USB port.
  • Using the TPM chip alone to authenticate is also problematic: if a threat actor steals the device, it will continue to boot and decrypt the partition successfully as long as the boot image hasn’t been tampered with. That’s because the TPM is generally embedded into the computer's motherboard or in its processor —  so when the machine gets stolen, so does the TPM! No, you need an external factor to validate the decryption. 

The CNCF’s Kairos project takes an alternative approach: decrypting over the wire using a remote Key Management Server (KMS).

Edge device security with a KMS

In short, here’s how it works.

  • When the machine boots, the TPM does its usual boot validation (as described in our blog on trusted boot)
  • Then, the machine authenticates with the KMS, requesting the passphrase to decrypt the device’s disk partitions.
  • The KMS will only provide the passphrase to the machine with the correct TPM chip.

But where do you run the KMS?

One option would be to keep it in the field, near the devices, ready to authenticate whenever a device might need it. But then you need to permanently secure the KMS itself — after all, it stores all the passphrases for the edge devices in the fleet. Even if the KMS’s disk itself is encrypted, allowing physical access to it poses yet another security risk.

But for many use cases, the KMS doesn’t need to be always available. It may only be needed at the start of a shift or during an upgrade window, in which case a trusted user can carry the KMS in the form of some portable device (a laptop or even a smartphone). 

While this limits the devices to only being able to boot when an operator is within range, it is much more secure the rest of the time.

This remote KMS model is now available out of the box with Kairos. If you find this use case interesting and want to try it out yourself, read the Kairos documentation here.

A remote KMS authentication workflow in action

It’s 8am and a fleet of autonomous devices have been unloaded from trucks at a worksite.

The field operator pulls out a ruggedized laptop, connected to the same Wi-Fi network as the devices, and spins up the KMS.

All the devices power on, in this case with a quick physical button press.

The devices look up the KMS over multicast DNS (mDNS). It doesn’t matter which IP address is assigned to the KMS; every time it joins the local network, it can be automatically discovered by the edge devices. There’s no need for any static IP address setup. 

Each device authenticates with the KMS and receives its unique passcode to decrypt its root filesystem partition, and the operating system can complete its boot.

The operator can leave the field at any time to move on to their next project, and the devices can keep running.

In the event of a device being stolen, the operator can safely blacklist the device on the KMS by removing the relevant device’s TPM hash. The next time it tries to connect to the KMS, the KMS will refuse to supply the passphrase, thereby protecting the data. 

And of course, if the attacker tries to boot the device out of range of the KMS, boot will also fail. And if they try to remove the device’s disk to access it on another device, it will also fail, because it’s unable to reach the TPM chip on the device motherboard.

Remote KMS authentication workflow

Finding the right security model for each edge use case

Securing devices at the edge is of paramount importance, especially when devices are left unattended in remote locations in industries like agriculture and energy.

At Spectro Cloud and in the Kairos project, we’re always working to tackle the many diverse edge security challenges inherent in real-world industry use cases. 

The remote KMS solution we discuss in this blog is just one part of an overall robust security posture, alongside security features like trusted boot and secure device onboarding. These controls should work as a coherent whole through a platform to manage edge Kubernetes clusters at enterprise scale.

To learn more about our blueprint for edge security, check out the Secure Edge Native Architecture (SENA) published in partnership with Intel.

And if you want to learn more about edge security, or talk to an expert, join the Kairos community or get in touch with Spectro Cloud here.

Tags:
Edge Computing
Security
Subscribe to our newsletter
By signing up, you agree with our Terms of Service and our Privacy Policy