New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: Transparent end to end encryption and authentication #504

Open
tgraf opened this Issue Apr 4, 2017 · 7 comments

Comments

Projects
7 participants
@tgraf
Member

tgraf commented Apr 4, 2017

  • Automatically encrypt all packets between cluster nodes
  • Authenticate nodes prior to communication
  • Ability to specify keys
  • Integration with various secrets stores
  • Possibility to specify ability to receive untrusted traffic in the policy
  • Integration with service identity spec such as SPIFFE
@danwent

This comment has been minimized.

Contributor

danwent commented Apr 17, 2017

Is it intentional to call out just encryption here, as opposed to encryption, authentication, and integrity? I'm assuming we'd use something like IPsec and/or SSL/TLS, which should be able to provide all three, and the main use case would seem to be protecting against an untrusted "physical" network, in which case, I assume you would want all three.

@tgraf tgraf changed the title from Feature: Transparent end to end encryption to Feature: Transparent end to end encryption and authentication Apr 23, 2017

@tgraf

This comment has been minimized.

Member

tgraf commented Apr 23, 2017

Is it intentional to call out just encryption here, as opposed to encryption, authentication, and integrity? I'm assuming we'd use something like IPsec and/or SSL/TLS, which should be able to provide all three, and the main use case would seem to be protecting against an untrusted "physical" network, in which case, I assume you would want all three.

Absolutely, this includes auth and integrity as well. I've updated the section. It's still fairly high level until we work out individual details.

@wallies

This comment has been minimized.

wallies commented Aug 31, 2017

I dont know whether this issue has been completed or how the implementation was going to be implemented but something that would be nice is using wireguard (https://github.com/linuxkit/linuxkit/blob/master/docs/wireguard.md) which is something linuxkit was looking to use for similiar use case. Also great project by the way.

@ericstoekl

This comment has been minimized.

ericstoekl commented Jul 25, 2018

@tgraf can we get a status update on this issue?

@G3ph4z

This comment has been minimized.

G3ph4z commented Nov 8, 2018

I guess it isn't implemented yet, right?

@tgraf tgraf added this to Proposed in 1.4 via automation Nov 8, 2018

@tgraf tgraf added this to the 1.4-feature milestone Nov 8, 2018

@tgraf

This comment has been minimized.

Member

tgraf commented Nov 8, 2018

@ericstoekl @G3ph4z We are actively implementing this right now.

@justincormack

This comment has been minimized.

justincormack commented Nov 8, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment