cloudsoft.io

Persisted State Security Guidelines

Please make sure you went through all bullets in Security Guidelines

This document contains security guidelines for AMP persisted state.

For Object Storage based persistence consider setting up Riak CS which is accessible only to AMP and not to the wider internet or other machines.

File-based Persistence

Consider using OS encryption for the volume where persisted state is stored by using an encrypted destination drive. This adds an additional level of safety in the case of VM corruption, or when malicious actions are performed on the persisted state volume.

Encrypting file based persistence

In situations where there is a danger of non privileged users accessing the persistence volume of the AMP VM, you may want to use encryption for the persistence data.

Make sure you have an external vault provider with encrypted credentials. Follow Obscuring AMP externalized configuration and put the persistence encryption credentials in vault.

Put in etc/brooklyn.cfg a named location of type encrypted.

brooklyn.location.named.encryptedPersistenceDestination=encrypted
# Optional security algorithm parameter.
brooklyn.location.named.encryptedPersistenceDestination.secretKeyAlgorithm=AES
# Optional encryption transformation parameter.
brooklyn.location.named.encryptedPersistenceDestination.transformation=AES/CBC/PKCS5Padding
# Required secret key parameter.
# Base64 formatted secret key.
brooklyn.location.named.encryptedPersistenceDestination.secretKey=$brooklyn:external("vaultObscuredProvider","persSecretKey")
# Required encryption IV parameter.
# Base64 formatted init vector.
brooklyn.location.named.encryptedPersistenceDestination.initVector=$brooklyn:external("vaultObscuredProvider","persInitVector")

Then tell AMP to use the encryptedPersistenceDestination. In etc/org.apache.brooklyn.osgilauncher.cfg change persistenceLocation to the named location you specified in brooklyn.cfg.

# The location spec for an object store to read/write persisted state
persistenceLocation=encryptedPersistenceDestination

Now when AMP starts, it will detect if the persistence destination is either encrypted with the keys you specified or empty. NOTE: AMP doesn’t support encryption of an unencrypted state.

AMP and Maeztro are developed and supported by Cloudsoft Corporation.