Open Source Summit North America 2017

Secure keys are a special kind of wrapped keys: keys wrapped by a wrapping key (KEK) that is securely located in an inaccessible environment (typically a hardware security module, aka HSM). Outside this inaccessible environment, the wrapped (effective) key is never exposed and thus, a secure key can be stored in memory without exposing a secret. The down side of this technology is that all secure key cryptographic operations must be performed inside the inaccessible environment.

Using secure keys instead of clear keys has obvious advantages: it introduces a new authentication factor (something you have), it prevents keys from being subject to theft, and an allows to open volumes autonomously because passphrases are no longer quintessential for the protection of the effective key required to decrypt data read from disk or encrypt data written to disk.

In this presentation, you will learn how secure keys can be used for disk encryption with dm-crypt and see a proposal on how to use secure keys with the LUKS format and LUKS management tools. We will point out challenges in using of secure keys and show solutions to some of the challenges based on the CryptoExpress HSM and the protected key technology of z Systems within the LUKS framework.

The presentation will close with the discussion some open problems and requirements for solutions that solve these problems which will hopefully lead to a vivid discussion with the audience.