Network-Based LUKS Volume Decryption with Tang

Friday, December 9, 2016 - 2:00pm2:45pm

Brian J. Atkisson, Red Hat

Abstract: 

LUKS has long been the standard for volume encryption on Linux systems. It is easy to use and provides a high level of data security, especially for Linux laptops. However, using LUKS for encrypting server volumes, especially root volumes, poses significant issues when managing systems at scale. Your options to date for providing LUKS root volume encryption have been to establish a remote console connection at system boot or to store a key blob unsecured. Obviously, the former is not possible with more than a handful of systems, and the later eliminates any security gains made by using encryption in the first place.

The use-case for server disk encryption somewhat differs from laptop encryption. You want a system to be able to boot without admin interaction while in your secured operating environment, but should be secured should someone attempt to access the volume by other means. Common examples would be sending a failed disk back to a vendor, a third party gaining access to your back-end storage array or AWS volumes.

This talk will focus on a solution to this problem and demonstrate how one can use a network-based service to securely unlock LUKS volumes at boot while maintaining encrypted data at rest.

LISA16 Open Access Sponsored by Bloomberg

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

Presentation Video

Download Video

Presentation Audio

BibTeX
@conference {201580,
author = {Brian J. Atkisson},
title = {Network-Based {LUKS} Volume Decryption with Tang},
year = {2016},
address = {Boston, MA},
publisher = {{USENIX} Association},
}