Tillered Arctic
Concepts

Security

Understanding Arctic's security and trust model

Security

This article explains Arctic's security model, authentication mechanisms, and trust relationships.

Trust Model

Arctic's trust model is based on cryptographic verification:

License-Based Trust

Trust flows from the license:

  1. Tillered signs licenses with cryptographic keys
  2. Agents verify license signatures at bootstrap
  3. Peers verify each other against the same license
  4. Only peers with valid, matching licenses can join

Why License-Based?

  • No central authority: Peers verify independently
  • Offline capable: No network call to verify membership
  • Cryptographic: Cannot be forged without private keys
  • Revocable: License expiration limits access

Cryptographic Security

Arctic uses industry-standard cryptographic algorithms throughout:

  • Digital signatures for license signing, peer identity, and handshake authentication
  • Authenticated encryption for transport security between peers
  • Modern key exchange protocols with perfect forward secrecy for IP tunnels

All cryptographic implementations use well-audited libraries and follow current best practices.

Peer Authentication

Key Generation

During bootstrap, each peer:

  1. Generates a cryptographic key pair
  2. Stores the private key securely in $DATA_DIR/peer.key
  3. Registers the public key with the cluster

Handshake Authentication

When peers connect:

Both peers must have valid signatures to complete the handshake.

API Authentication

OAuth2 Client Credentials

API authentication uses OAuth2:

  1. Client sends client_id and client_secret
  2. Server validates credentials
  3. Server issues JWT access token
  4. Client uses token for subsequent requests

Token Structure

Access tokens are JWTs containing:

  • Peer ID (issuer)
  • Client ID (subject)
  • Scopes (permissions)
  • Expiration (1 hour default)

Scope-Based Authorization

Credentials can be limited to specific operations:

ScopePermissions
adminFull access
peers.readList/get peers
peers.writeAdd/update/delete peers
services.readList/get services
services.writeCreate/update/delete services
credentials.readList credentials
credentials.writeCreate/revoke credentials

Transport Security

API (HTTPS)

For production deployments:

  • Use a reverse proxy with TLS
  • Arctic agent serves HTTP by default
  • TLS termination at load balancer recommended

Peer Communication

Peer-to-peer traffic is always encrypted:

  • TCP traffic: Encrypted headers and payload
  • Non-TCP traffic: Encrypted tunnel with forward secrecy
  • No plaintext between peers

Data Security

At Rest

Sensitive data stored on disk:

DataLocationProtection
Private keypeer.keyFile permissions (600)
Credentialsarctic.dbApplication-level
Licenselicense.jsonSigned, not encrypted

Recommendations

  • Restrict file system access to Arctic data directory
  • Use full-disk encryption for hosts
  • Regular backups of arctic.db

License Security

License Structure

Licenses contain:

{
  "license_id": "lic_...",
  "customer_id": "cust_...",
  "issued_at": "2024-01-01T00:00:00Z",
  "expires_at": "2025-12-31T23:59:59Z",
  "max_nodes": 10,
  "max_services": 100,
  "signature": "base64..."
}

Verification

Agents verify:

  1. Signature is valid
  2. Signing key is known (embedded public keys)
  3. License has not expired
  4. Limits are not exceeded

Key Rotation

License signing keys rotate quarterly:

  • New keys are embedded in agent releases
  • Old keys remain valid for existing licenses
  • Agents support multiple public keys

Threat Mitigations

Unauthorized Cluster Access

Threat: Attacker joins cluster without valid license.

Mitigation: Handshake requires valid license signature verification. Without a properly signed license, handshake fails.

Credential Theft

Threat: Attacker obtains API credentials.

Mitigation:

  • Credentials have scopes (limit blast radius)
  • Credential rotation supported
  • 24-hour grace period allows recovery
  • Revocation immediately invalidates credentials

Man-in-the-Middle

Threat: Attacker intercepts peer communication.

Mitigation:

  • All peer traffic is encrypted
  • Peers verify each other's identities
  • Forward secrecy protects past sessions

License Tampering

Threat: Attacker modifies license to increase limits.

Mitigation:

  • Licenses are cryptographically signed
  • Signature verification fails for modified licenses
  • Cannot forge without private signing key

Best Practices

Production Deployment

  1. Use HTTPS: TLS termination at reverse proxy
  2. Rotate credentials: Regular rotation schedule
  3. Limit scopes: Least privilege for automation
  4. Monitor access: Log and alert on API access
  5. Protect keys: Secure peer.key file

Credential Management

  1. Create specific credentials for each use case
  2. Use read-only credentials for monitoring
  3. Revoke unused credentials promptly
  4. Rotate shared cluster credential periodically

Network Security

  1. Firewall non-essential ports
  2. Use private networks between agents
  3. Consider VPN for management access
  4. Monitor for unusual traffic patterns

See Also

Transparent Mode

Understanding how Transparent Mode preserves source IP addresses through TProxy tunnels

On this page

SecurityTrust ModelLicense-Based TrustWhy License-Based?Cryptographic SecurityPeer AuthenticationKey GenerationHandshake AuthenticationAPI AuthenticationOAuth2 Client CredentialsToken StructureScope-Based AuthorizationTransport SecurityAPI (HTTPS)Peer CommunicationData SecurityAt RestRecommendationsLicense SecurityLicense StructureVerificationKey RotationThreat MitigationsUnauthorized Cluster AccessCredential TheftMan-in-the-MiddleLicense TamperingBest PracticesProduction DeploymentCredential ManagementNetwork SecuritySee Also