Secure Bootstrapping

Bootstrapping agents for secure installation

  • Updated on Apr 19, 2023

The Banyan Netagent can be deployed in diverse clusters across multiple clouds to manage access controls. In such distributed environments, it is essential that each Netagent securely authenticates and registers itself. We call this the secure bootstrapping flow; it is implemented as follows:

1. Generate Key

The Banyan Command Center generates a new random key string (known as the One Time Security Key) for each registered cluster every 24 hours.

2. Obtain the One-time Security Key

The One-time Security Key value for each cluster can be retrieved by calling an API accessible by any script that possesses a valid Banyan auth token.

curl -H "Authorization: Bearer $YOUR_TOKEN" $API_ENDPOINT/one_time_security_key?clustername='MYCLUSTERNAME'

3. Configure Shield

Note: If your organization uses a Managed Shield hosted by Banyan’s Software-As-A-Service, you do not need to manage Shield configuration yourself. Secure Bootstrapping will be enabled by default.

The Shield for the cluster must be started with the command line option --securegob. That will make Shield insist that Netagents authenticate themselves using either the One Time Security Key or a previously issued client cert. For Shield to authenticate itself initially to the Banyan Command Center using the One Time Security Key, Shield has a second option --initkey=KEY_VALUE.

4. Bootstrap Netagent

Install Netagent according to the installation instructions with regards to secure bootstrapping. When Netagent starts it will authenticate itself to Shield, initially using the given key with challenge-response HMAC. If that succeeds, Netagent gets a TLS client cert which it can use for subsequent connections to Shield.

Planned Future Enhancements

When the One-time Security Key rotates (once every 24 hours), we will keep both the old and new keys valid for a short time in case a Netagent starts with the old key just after the key is rotated.

The Netagent cert will be pinned to the hostname or IP to thwart an adversary who has the ability to infiltrate and copy the files to another machine.