Skip to content

docs: Security model #6031

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs: Security model #6031

wants to merge 1 commit into from
+146 −0

Conversation

Dan-Heath
Copy link
Contributor

@Dan-Heath Dan-Heath commented Sep 5, 2025
edited
Loading

Description

This PR adds security model documentation to the Boundary docs to better explain what is and isn't considered part of the threat model. This information is documented for other HashiCorp products in a similar format.

This update also combines the HCP Boundary security model document with the more general Boundary information. Once this is published, we would remove the standalone HCP version.

View the preview deployment

PCI review checklist

  • I have documented a clear reason for, and description of, the change I am making.
  • If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
  • If applicable, I've documented the impact of any changes to security controls.
    Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

@Dan-Heath Dan-Heath added this to the deferred milestone Sep 5, 2025
@Dan-Heath Dan-Heath self-assigned this Sep 5, 2025
@Dan-Heath Dan-Heath marked this pull request as ready for review September 5, 2025 17:56
@Dan-Heath Dan-Heath requested review from a team as code owners September 5, 2025 17:56
johanbrandhorst
johanbrandhorst reviewed Sep 5, 2025
View reviewed changes
Copy link
Collaborator

@johanbrandhorst johanbrandhorst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

website/content/docs/secure/security-model.mdx

- **Eavesdropping on any Boundary communication**.
All communication between clients, controllers, and workers is protected by TLS or mutually authenticated TLS, ensuring confidentiality and integrity.
- **Tamerping with data at rest or in transit**.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- **Tamerping with data at rest or in transit**.
- **Tampering with data at rest or in transit**.

website/content/docs/secure/security-model.mdx
Comment on lines +55 to +56
- Boundary Client Agent specifics:
- The Client Agent stores session credentials and related information in memory and in the user's OS-dependent keyring.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The client agent doesn't use the keyring, but the CLI does. The client agent only stores credentials in-memory, they are never persisted to anything.

website/content/docs/secure/security-model.mdx
- Brokered credentials may be returned to the user's device and displayed in plain text.
- Boundary Client Agent specifics:
- The Client Agent stores session credentials and related information in memory and in the user's OS-dependent keyring.
Boundary persists auth tokens to platform-specific keyring storage.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Boundary persists auth tokens to platform-specific keyring storage.
Boundary CLI persists auth tokens to platform-specific keyring storage.

website/content/docs/secure/security-model.mdx
- The Client Agent stores session credentials and related information in memory and in the user's OS-dependent keyring.
Boundary persists auth tokens to platform-specific keyring storage.
If an attacker can read the memory of the Client Agent process or has compromised the OS user account under which the Client Agent is running and authenticated, they may be able to access these active session credentials.
- The Client Agent's security relies on the OS user context; an OS user can only connect to sessions managed by the Client Agent if they are the same OS user that authenticated the agent.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- The Client Agent's security relies on the OS user context; an OS user can only connect to sessions managed by the Client Agent if they are the same OS user that authenticated the agent.
- The Client Agent's security relies on the OS user context; an OS user can only connect to sessions managed by the Client Agent if they are the same OS user that initiated the DNS lookup that created the session.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically, on MacOS, we use the most recently authenticated user, since we can't tell who is making the DNS request. We may want to differentiate between Windows and MacOS here to be explicit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johanbrandhorst johanbrandhorst johanbrandhorst left review comments

@tmessi tmessi Awaiting requested review from tmessi

@louisruch louisruch Awaiting requested review from louisruch

@mcollao-hc mcollao-hc Awaiting requested review from mcollao-hc

At least 1 approving review is required to merge this pull request.

Assignees

@Dan-Heath Dan-Heath

Labels
website
Projects
None yet
Milestone
deferred
Development

Successfully merging this pull request may close these issues.
2 participants
@Dan-Heath @johanbrandhorst