trdl is designed to minimize the damage from potential attacks on the release system. The Vault secret manager, the TUF-based repository (The Update Framework), and Git are the three main components that make this possible.

trdl components and their roles
  • Vault
    • Secure encryption key management.
    • A platform for running the trdl server securely. Ensures confidentiality, data integrity and availability, accountability; provides authentication and authorization methods.
  • TUF repository
    • Protection against unauthorized access to content: binary files, packages, and other software.
    • Data relevance, consistency and integrity.
    • Mitigating key risks; compromise resilience (damage reduction in case of key compromise/loss)
    • Key replacement.
  • Git repository
    • Stores code, build configurations, and release channels configurations.
    • Stores GPG signatures of commits to verify operations.
  • Docker
    • Ensures builds are reproducible.

trdl provides a secure channel for delivering releases from the Git repository to the user's host and guarantees the integrity of the release contents.

  • It protects against Git repository spoofing and compromise. trdl uses Git commits to ensure the integrity of the entire change history, including all metadata and repository content, all the way back to the initial commit.

  • All operations are confirmed by a quorum of GPG signatures for each commit. The signatures are stored in the Git repository, while the public parts of trusted GPG keys and the list of required signatures are stored in Vault.

  • trdl protects against rolling back the release channels to previous versions with vulnerabilities. During the update, trdl checks if the last successful commit is related to the current one. As a result, git push --force to a prior signed commit will not work.

  • trdl manages encryption keys and automatically creates and stores them in Vault. As a result, no one has access to the encryption keys, and no one ever uses them directly.

What trdl does not protect against
  • trdl cannot protect you against threats related to physical access to the host where the trdl-client is installed.

  • trdl cannot protect you against human errors, e.g., incorrect GPG signature quorum configuration, improper build instructions, and faulty Vault config.

Our recommendations
  • Use an external authentication provider instead of the Vault root token.
  • Set up an NGINX proxy to secure access to Vault by switching to HTTPS and enabling access only to certain Vault endpoints.
  • Run Docker on the same host as Vault and block outside access to Docker.
  • Do not install any other software on the virtual machine where Vault and the trdl plugin are running.
  • Use the common and proven methods of protecting the OS/host.