Bootstrapping
What is Bootstrapping?¶
Bootstrapping is the process of securely enrolling a device into the platform. The device identifies itself with a valid bootstrap key and is then accepted by the platform. In this process the agent creates unique public - private key pairs such that all future communication is based on unique keys. Without the correct bootstrap key the trust relationship cannot be established and the device is rejected.
The Bootstrap Key¶
The bootstrap key is a secret key used to enroll devices. Each account has a unique default bootstrap key such that using the platform is simple. Additional ones can be created. The bootstrap key can be found in the top right corner in the menu under user name. Opening the "bootstrap keys" menu opens a new tab showing all available keys. It is important to understand that the bootstrap key is only important and used for the initial trust building process. After that individual keys take over and the bootstrap key will never be used again. Therefore bootstrap keys can also be deleted to prevent additional devices to register with this key. The command to bootstrap with a key is as follows:
sudo qbee-agent bootstrap -k <bootstrap_key>
Creating and Editing Bootstrap Keys¶
By pressing "Generate a new key" any number of keys can be produced. Existing keys can also be edited through the menu system. It is possible to assign a default group to a bootstrap key. This way all devices registering with this bootstrap key will automatically appear in that group and apply all group configurations. Bootstrap keys can be auto accepted or they can be manually accepted. If manual is selected for the key the devices will appear in the "Devices Tab" visualized with the "Pending Devices" button. Pressing this allows a detailed view and the option to manually allow the bootstrapping process.
Bootstrap Keys in Production¶
Most customers define specific bootstrap keys for different production batches. This way any manufacturer of the devices can use a specific bootstrap key to provision the full batch. After all devices in that batch are provisioned we recommend to delete the bootstrap key to prevent any other device from auto registering. For the next production run or a new manufacturer a new key can be created and distributed.
It is also possible to divide fleets into different parts using separate bootstrap keys to associate the devices to different groups reflecting different customers or hardware revisions. Devices will then automatically end up in the defined group obtaining all group specific configuration.