Secure Storage

This section provides information about the Secure Storage service which allows an app to store and retrieve data via a REST-based API in secure manner. The storage is encrypted and bound to the security module of the host system (if existent or supported by underlying Device Kit services).

Device Builders can enable the secure storage support by changing the host.securestorage capability and by implementing the IE Device Kit Security Service API.

IE Device Kit Security Service API

The IE Device Kit Security Service can be implemented into security-based modules on the device. Check this page to learn the handling of the security service proto file and other relevant packages.

Message

Data content which needs to be encrypted/decrypted via the security module (underlying hardware support from the IE Device Kit). The maximum amount of data which is supplied to be sealed from the runtime is currently 128 Bytes.

SealMessage

This API provides functionality to encrypt/seal the message from the underlying device security module.

UnsealMessage

This API provides functionality to decrypt/unseal the sealed/encrypted message from the underlying device security module.

NOTICE

Device Builders cannot disable the Device Kit API (security module from the underlying system) usage once it is enabled on the device (if done, the device will become inaccessible), but vice versa it works.

Known Issues

• The application with Docker network as that of the host (for example network_mode: host) calling the secure storage v1 APIs will not authorize the REST-API calls.

• The Modular Device Integration offering does not support secure storage v1 APIs.

---

Funding Acknowledgment: Funded by the Federal Ministry for Economic Affairs and Energy based on a decision by the German Bundestag | Your funding provider: Kicks for Edge as part of the EU funding program IPCEI-CIS (FKZ:13IPC008)