Ignat Korchagin, Cloudflare
Did you know that Linux has a keystore ready to be used by any application or service? Applications can securely store and share credentials and keys, sign and encrypt data, negotiate a common secret - all this by never touching a single byte of the underlying cryptographic material.
This is especially useful in cloud-native environments, where services authenticate and securely talk to each other. But if a network-facing service also has some secret in its process address space, it sets itself up for a failure as any potential out-of-bounds memory access vulnerability may allow the secret to be leaked. Imagine a world where you don’t have to run an SSH agent just to protect your SSH keys.
On top of keeping your secrets secret Linux keystore integrates with security hardware, like TPMs and HSMs and may provide a single entry point for applications to obtain their secrets.
Ignat Korchagin, Cloudflare
Ignat is a systems engineer at Cloudflare working mostly on Linux. Ignat’s interests are cryptography, hacking, and low-level programming. Before Cloudflare, Ignat worked as a senior security engineer for Samsung Electronics’ Mobile Communications Division. His solutions may be found in many older Samsung smart phones and tablets. Ignat started his career as a security researcher in the Ukrainian government’s communications services.
author = {Ignat Korchagin},
title = {What Is Linux Kernel Keystore and Why You Should Use It in Your Next Application},
year = {2023},
address = {Singapore},
publisher = {USENIX Association},
month = jun
}
