Secure Bootstrapping
Bootstrapping agents for secure installation
- Updated on Apr 19, 2023
- 1. Generate Key
- 2. Obtain the One-time Security Key
- 3. Configure Shield
- 4. Bootstrap Netagent
- Planned Future Enhancements
The Banyan Netagent can be deployed in diverse clusters across multiple clouds to manage access controls. In such distributed environments, it is essential that each Netagent securely authenticates and registers itself. We call this the secure bootstrapping flow; it is implemented as follows:
1. Generate Key
The Banyan Command Center generates a new random key string (known as the One Time Security Key) for each registered cluster every 24 hours.
2. Obtain the One-time Security Key
The One-time Security Key value for each cluster can be retrieved by calling an API accessible by any script that possesses a valid Banyan auth token.
curl -H "Authorization: Bearer $YOUR_TOKEN" $API_ENDPOINT/one_time_security_key?clustername='MYCLUSTERNAME'
3. Configure Shield
Note: If your organization uses a Managed Shield hosted by Banyan’s Software-As-A-Service, you do not need to manage Shield configuration yourself. Secure Bootstrapping will be enabled by default.
The Shield for the cluster must be started with the command line option --securegob
. That
will make Shield insist that Netagents authenticate themselves using either the One Time Security Key or a previously issued client cert. For Shield to authenticate itself initially to the Banyan Command Center using the One Time Security Key, Shield has a second option --initkey=KEY_VALUE
.
4. Bootstrap Netagent
Install Netagent according to the installation instructions with regards to secure bootstrapping. When Netagent starts it will authenticate itself to Shield, initially using the given key with challenge-response HMAC. If that succeeds, Netagent gets a TLS client cert which it can use for subsequent connections to Shield.
Planned Future Enhancements
When the One-time Security Key rotates (once every 24 hours), we will keep both the old and new keys valid for a short time in case a Netagent starts with the old key just after the key is rotated.
The Netagent cert will be pinned to the hostname or IP to thwart an adversary who has the ability to infiltrate and copy the files to another machine.