Open dherder opened 3 weeks ago
@dherder I think we learned from the prospect that they manage mostly Ubuntu Linux Workstations and some Red Hat Linux? Fedora Linux?
I can't find this in our notes...
@noahtalerman mostly Ubuntu with some Fedora
Hey @dherder I updated this issue to user story format and moved your original issue description here for safekeeping:
As a Client Platform Engineer, I would like to escrow Linux disk encryption keys. Specifically, LUKS format. See https://fedoraproject.org/wiki/Disk_encryption_formats for all the possible disk encryption formats.
Background: https://fedoraproject.org/wiki/Key_Management#Disk_Encryption_Key_Escrow (see sections on Handling of use cases, Implementation details).
The goal is to allow recovering from a e.g. a lost password for an encrypted drive of a company computer, by storing the necessary data about the encryption "centrally" and allowing authorized people to use it to access the encrypted data.
The threat model assumes attacks against the encrypted drives by unauthorized users, and attacks against the central data storage. Users deleting or corrupting data they have legitimate access to are out of scope (in the typical case, the user can overwrite their own hard drive or smash it with a hammer).
Goal
Context
We want to use the LUKS disk encryption format.
Instructions from Fedora on disk encryption key escrow using LUKS is here.
Changes
Product
Engineering
QA
Risk assessment
Manual testing steps
Testing notes
Confirmation