Network-Based LUKS Volume Decryption with Tang

Friday, December 9, 2016 - 2:00pm2:45pm

Brian J. Atkisson, Red Hat


LUKS has long been the standard for volume encryption on Linux systems. It is easy to use and provides a high level of data security, especially for Linux laptops. However, using LUKS for encrypting server volumes, especially root volumes, poses significant issues when managing systems at scale. Your options to date for providing LUKS root volume encryption have been to establish a remote console connection at system boot or to store a key blob unsecured. Obviously, the former is not possible with more than a handful of systems, and the later eliminates any security gains made by using encryption in the first place.

The use-case for server disk encryption somewhat differs from laptop encryption. You want a system to be able to boot without admin interaction while in your secured operating environment, but should be secured should someone attempt to access the volume by other means. Common examples would be sending a failed disk back to a vendor, a third party gaining access to your back-end storage array or AWS volumes.

This talk will focus on a solution to this problem and demonstrate how one can use a network-based service to securely unlock LUKS volumes at boot while maintaining encrypted data at rest.

Brian J. Atkisson, Red Hat

Brian J. Atkisson has 18 years of production systems engineering and operations experience, focusing primarily on identity management and virtualization solutions. He has worked in these roles for the University of California, Jet Propulsion Laboratory, and Red Hat, Inc. He is a Red Hat Certified Architect and Engineer, in addition to holding many other certifications and a B.S. in Microbiology. He currently is a Senior Principal Systems Engineer on the Identity and Access Management team within Red Hat IT.

LISA16 Open Access Sponsored by Bloomberg

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@conference {201580,
author = {Brian J. Atkisson},
title = {{Network-Based} {LUKS} Volume Decryption with Tang},
year = {2016},
address = {Boston, MA},
publisher = {USENIX Association},
month = dec

Presentation Video 

Presentation Audio