From cd424b3955ba7c60ebe4b4ba3bf6ea759501b325 Mon Sep 17 00:00:00 2001 From: Keirthana Date: Wed, 22 Jan 2025 21:29:33 +0530 Subject: [PATCH 1/4] feat(exp): update security documentation for data at rest --- explanation/anbox-security.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/explanation/anbox-security.md b/explanation/anbox-security.md index 35c91370..5889d648 100644 --- a/explanation/anbox-security.md +++ b/explanation/anbox-security.md @@ -80,6 +80,21 @@ It is possible to turn off this update mechanism by setting `container.security_ For security reasons, always keep your systems up-to-date at all times. To ensure this, snaps update automatically, and the snap daemon is by default configured to check for updates four times a day. +## Data security + +We avoid storing user data as much as possible and don't provide any data encryption. The following table helps you understand how data related to you or provided by you is used within Anbox Cloud by various components. + +| Component | Databases | Data stored| +|-----------|-----------|------------| +| LXD instances | Dqlite and SQLite | Information about instances, their management, authentication and certificates | +| AMS | etcd | Information about instance management and configuration, {ref}`custom user data ` when explicitly provided | +| Anbox Stream Gateway | Dqlite | Session and management metadata, service account IDs that identify the web client | +| Anbox Cloud dashboard | SQLite | User email that are used for authentication | + +Services used by Anbox Cloud have configuration files that contain secrets. For the Anbox Stream Gateway, the secrets are stored in Juju relation data. + +The data that you provide to your applications in Android is stored within the instance, for the duration of the instance. + ## Android security The images that Anbox Cloud provides are based on different Android versions. They are updated with security patches monthly, based on the upstream security tags. You can find detailed information on the security patches that have been included (or considered to be included but found unrelated) in the [Android Security Bulletins](https://source.android.com/docs/security/bulletin). The relevant security bulletin for each Anbox Cloud release is linked in the {ref}`ref-release-notes`. From 7ddfecea65420bd90c662454539c152ed2992034 Mon Sep 17 00:00:00 2001 From: Keirthana Date: Tue, 28 Jan 2025 12:13:32 +0530 Subject: [PATCH 2/4] Add list of configuration files --- explanation/anbox-security.md | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/explanation/anbox-security.md b/explanation/anbox-security.md index 5889d648..f0644dfd 100644 --- a/explanation/anbox-security.md +++ b/explanation/anbox-security.md @@ -82,7 +82,7 @@ For security reasons, always keep your systems up-to-date at all times. To ensur ## Data security -We avoid storing user data as much as possible and don't provide any data encryption. The following table helps you understand how data related to you or provided by you is used within Anbox Cloud by various components. +The following table helps you understand how data related to you or provided by you is used within Anbox Cloud by various components so that you can encrypt and backup information that needs to be secured. | Component | Databases | Data stored| |-----------|-----------|------------| @@ -91,7 +91,30 @@ We avoid storing user data as much as possible and don't provide any data encryp | Anbox Stream Gateway | Dqlite | Session and management metadata, service account IDs that identify the web client | | Anbox Cloud dashboard | SQLite | User email that are used for authentication | -Services used by Anbox Cloud have configuration files that contain secrets. For the Anbox Stream Gateway, the secrets are stored in Juju relation data. +Services used by Anbox Cloud have configuration files that contain secrets. A charmed Anbox Cloud deployment contains the following configuration files that contain secrets: + +`/var/snap/ams/common/server/settings.yaml` +`/var/snap/aar/common/conf/main.yaml` +`/var/snap/anbox-cloud-dashboard/common/service/config.yaml` +`/var/snap/anbox-stream-agent/common/agent/config.yaml` +`/var/snap/anbox-stream-gateway/common/service/config.yaml` +`/etc/turnserver.conf` +`/etc/coturn/auth_secret` +`/var/snap/nats/common/server/nats.cfg` + +An Anbox Cloud Appliance deployment contains the following configuration files that contain secrets: + +`/var/snap/anbox-cloud-appliance/common/daemon/config.yaml` +`/var/snap/anbox-cloud-appliance/common/telegraf/main.conf` +`/var/snap/anbox-cloud-appliance/common/agent/config.yaml` +`/var/snap/anbox-cloud-appliance/common/coturn/turnserver.conf` +`/var/snap/anbox-cloud-appliance/common/ams/server/settings.yaml` +`/var/snap/anbox-cloud-appliance/common/dashboard/config.yaml` +`/var/snap/anbox-cloud-appliance/common/nats/nats.cfg` +`/var/snap/anbox-cloud-appliance/common/gateway/config.yaml` +`/var/snap/anbox-cloud-appliance/common/config.yaml` + +For the Anbox Stream Gateway, the secrets are stored in Juju relation data. The data that you provide to your applications in Android is stored within the instance, for the duration of the instance. From af9c18465c9c404192bc8cbeb585186dc237d7c9 Mon Sep 17 00:00:00 2001 From: Keirthana Date: Wed, 29 Jan 2025 14:44:57 +0530 Subject: [PATCH 3/4] Reword for no user action --- explanation/anbox-security.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/explanation/anbox-security.md b/explanation/anbox-security.md index f0644dfd..8e5042bf 100644 --- a/explanation/anbox-security.md +++ b/explanation/anbox-security.md @@ -82,14 +82,14 @@ For security reasons, always keep your systems up-to-date at all times. To ensur ## Data security -The following table helps you understand how data related to you or provided by you is used within Anbox Cloud by various components so that you can encrypt and backup information that needs to be secured. +The following table helps you understand how data related to you or provided by you is used within Anbox Cloud by various components. | Component | Databases | Data stored| |-----------|-----------|------------| | LXD instances | Dqlite and SQLite | Information about instances, their management, authentication and certificates | | AMS | etcd | Information about instance management and configuration, {ref}`custom user data ` when explicitly provided | | Anbox Stream Gateway | Dqlite | Session and management metadata, service account IDs that identify the web client | -| Anbox Cloud dashboard | SQLite | User email that are used for authentication | +| Anbox Cloud dashboard | SQLite | User emails that are used for authentication | Services used by Anbox Cloud have configuration files that contain secrets. A charmed Anbox Cloud deployment contains the following configuration files that contain secrets: From c94d3e3f8d5d1dc7fd31c0527600330c5de486ad Mon Sep 17 00:00:00 2001 From: Keirthana Date: Wed, 29 Jan 2025 22:45:22 +0530 Subject: [PATCH 4/4] Add details about secret management --- explanation/anbox-security.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/explanation/anbox-security.md b/explanation/anbox-security.md index 8e5042bf..98c4b240 100644 --- a/explanation/anbox-security.md +++ b/explanation/anbox-security.md @@ -91,7 +91,9 @@ The following table helps you understand how data related to you or provided by | Anbox Stream Gateway | Dqlite | Session and management metadata, service account IDs that identify the web client | | Anbox Cloud dashboard | SQLite | User emails that are used for authentication | -Services used by Anbox Cloud have configuration files that contain secrets. A charmed Anbox Cloud deployment contains the following configuration files that contain secrets: +Services used by Anbox Cloud have configuration files that contain secrets. The secrets are automatically generated and managed by the respective charms or the appliance. The authentication methods used are futher defined in {ref}`exp-security-landing` for managing secrets. + +A charmed Anbox Cloud deployment contains the following configuration files that contain secrets: `/var/snap/ams/common/server/settings.yaml` `/var/snap/aar/common/conf/main.yaml`