networkException/garage
1
0
Fork 0
forked from Deuxfleurs/garage
Code Pull requests Activity

doc: encryption organization

Browse source
This commit is contained in:
Alex 2023-06-14 12:51:47 +02:00 committed by networkException
parent 6efcc8d8ae
commit e3306fcef5
Signed by: networkException
GPG key ID: E3877443AE684391
1 changed files with 10 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
doc/book/cookbook/encryption.md
View file

@ -49,14 +49,9 @@ implements a protocol that has been clearly reviewed, Secure ScuttleButt's
Secret Handshake protocol. This is why setting a `rpc_secret` is mandatory,
and that's also why your nodes have super long identifiers.
## Encrypting traffic between a Garage node and your client
## HTTP API endpoints provided by Garage are in clear text
HTTP API endpoints provided by Garage are in clear text.
You have multiple options to have encryption between your client and a node:
- Setup a reverse proxy with TLS / ACME / Let's encrypt
- Setup a Garage gateway locally, and only contact the garage daemon on `localhost`
- Only contact your Garage daemon over a secure, encrypted overlay network such as Wireguard
Adding TLS support built into Garage is not currently planned.
## Garage stores data in plain text on the filesystem
@ -76,6 +71,14 @@ system such as Hashicorp Vault?
# Adding data encryption using external tools
## Encrypting traffic between a Garage node and your client
You have multiple options to have encryption between your client and a node:
- Setup a reverse proxy with TLS / ACME / Let's encrypt
- Setup a Garage gateway locally, and only contact the garage daemon on `localhost`
- Only contact your Garage daemon over a secure, encrypted overlay network such as Wireguard
## Encrypting data at rest
Protects against the following threats: