Overview
Explore network-based LUKS volume decryption using Tang in this LISA16 conference talk. Learn how to securely unlock encrypted server volumes at boot without admin interaction, addressing the challenges of managing encrypted systems at scale. Discover a solution that maintains data security while allowing automated decryption in secured environments. Gain insights into Tang API, LUKS volume encryption and layout, Clevis automated encryption framework, and the step-by-step process of setting up and implementing this system. Understand the differences between server and laptop encryption use-cases, and how this approach can protect data even when disks are accessed by third parties or in cloud environments.
Syllabus
Intro
USE CASE
BUT... DATA CENTERS ARE COMPLEX BEASTS
WHAT I DON'T WANT
ENVIRONMENT DEPENDENT DECRYPTION
TANG AND CLEVIS
TANG API
LUKS VOLUME ENCRYPTION
LUKS VOLUME LAYOUT
CLEVIS AUTOMATED ENCRYPTION FRAMEWORK
CLEVIS LUKS SETUP CLEVIS LUKS-BINO COMMAND BREAKDOWN
CLEVIS LUKS-BIND CLEVIS ENCRYPT
KEY RECOVERY
TANG SERVER INSTALL
TANG SERVER KEYS
CLEVIS SETUP INSTALLATION
SETUP AND TRUST
CLEVIS INITIALIZE LUKS METADATA
CLEVIS ADD LUKS KEY
FINAL STEP
Taught by
USENIX