Bosch IoT Rollouts

Artifact encryption

Bosch IoT Rollouts distributes artifacts to devices using the underlying content distribution network (CDN). The devices access the artifacts using a download URL provided by DDI-API or DMF-API. The download URL is signed and has a configurable expiration (default: 30 days), which is the default way of securing access to a CDN. An attacker, getting hold of a download URL, can download the artifact. If no end-to-end encryption is available on customer side, Bosch IoT Rollouts provides artifact encryption to mitigate this risk. Artifact encryption can be enabled per software module (using AES-256 GCM).

Table of contents:

Enabling artifact encryption

The artifact encryption feature can be enabled, when creating a software module, selecting the checkbox Enable artifact encryption. Artifacts added to this software module are encrypted. Encryption increases file size by 16 bytes, i.e. the length of an authentication tag. The corresponding cryptographic key and initialization vector are stored as software module meta data with key AES256.key and AES256.iv. Do not delete this meta data, as it is required for decryption. Artifacts downloaded via Management UI or Management API are provided decrypted, i.e. the backend already decrypts the file before providing it to the client.

images/confluence/download/attachments/2013094656/EnableArtifactEncryption.png

Decrypting artifacts on device

Cryptographic key and initialization vector for decryption is provided by DDI-API or DMF-API in the meta data section. Pay attention to the size of the authentication tag of 16 bytes.