Closed Ulexus closed 13 hours ago
We should also think about a case when bare metal machine gets reused for a different workload or tenant, and how can we protect from that, e.g. if we could use some kernel and boot loader checksum for the key seed, something close to secure boot. Just a thought for the future
Definitely. I'm leaning toward some form of secret sharing mechanism here, where part would be supplied by the hardware, and part from the environment.
It's a good point about the kernel + image hash as a seed. I threw that away because of upgrades, but in this case, we rewrite the config on upgrades. That would mandate keeping separate configs to match to each kernel+image combination, to facilitate rollbacks, but that is actually a good thing, too.
I like the idea of using clevis/tang, or have you ruled this one out?
I like the idea of using clevis/tang, or have you ruled this one out?
no, nothing is ruled out. In fact, Talos implementation supports different methods for getting the actual encryption key. clevis/tang
might be one of them, but it's not implemented yet.
This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.
This issue was closed because it has been stalled for 7 days with no activity.
The state partition should be encrypted, but it must be done without configuration, since the config is stored in the state partition itself.
Therefore, we propose a plan to use opportunistic automatic encryption in the following order:
This allows us to use encryption if we can, while seamlessly falling back to the current method if it is not available.
Note that LUKS can handle detection of whether the partition is encrypted or not, and the presence of TPM determines whether the key can be recovered from there.
Possible tools: