aboutsummaryrefslogtreecommitdiff
path: root/doc/book
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2023-06-14 12:51:47 +0200
committerAlex Auvolat <alex@adnab.me>2023-06-14 12:51:47 +0200
commit9092c71a01311f8f7174fa03facdb4d95a7b1389 (patch)
tree62e8bf6e275ce045e29baf7a660706899e54ed8e /doc/book
parent120f8b3bfb61d1f38290207ac67933263cb57eeb (diff)
downloadgarage-9092c71a01311f8f7174fa03facdb4d95a7b1389.tar.gz
garage-9092c71a01311f8f7174fa03facdb4d95a7b1389.zip
doc: encryption organization
Diffstat (limited to 'doc/book')
-rw-r--r--doc/book/cookbook/encryption.md17
1 files changed, 10 insertions, 7 deletions
diff --git a/doc/book/cookbook/encryption.md b/doc/book/cookbook/encryption.md
index 156c54e8..8d45a0ee 100644
--- a/doc/book/cookbook/encryption.md
+++ b/doc/book/cookbook/encryption.md
@@ -49,14 +49,9 @@ implements a protocol that has been clearly reviewed, Secure ScuttleButt's
Secret Handshake protocol. This is why setting a `rpc_secret` is mandatory,
and that's also why your nodes have super long identifiers.
-## Encrypting traffic between a Garage node and your client
+## HTTP API endpoints provided by Garage are in clear text
-HTTP API endpoints provided by Garage are in clear text.
-You have multiple options to have encryption between your client and a node:
-
- - Setup a reverse proxy with TLS / ACME / Let's encrypt
- - Setup a Garage gateway locally, and only contact the garage daemon on `localhost`
- - Only contact your Garage daemon over a secure, encrypted overlay network such as Wireguard
+Adding TLS support built into Garage is not currently planned.
## Garage stores data in plain text on the filesystem
@@ -76,6 +71,14 @@ system such as Hashicorp Vault?
# Adding data encryption using external tools
+## Encrypting traffic between a Garage node and your client
+
+You have multiple options to have encryption between your client and a node:
+
+ - Setup a reverse proxy with TLS / ACME / Let's encrypt
+ - Setup a Garage gateway locally, and only contact the garage daemon on `localhost`
+ - Only contact your Garage daemon over a secure, encrypted overlay network such as Wireguard
+
## Encrypting data at rest
Protects against the following threats: