Open Source Summit + ELC North America 2020

In Linux, dm-crypt is the technology of choice to encrypt data on disks. For encrypted data the major challenge is to protect data encryption keys such that the system can be automatically started i.e. w/o a user interactively entering some kind of password.

We have implemented a solution to use dm-crypt with keys that are protected by a hardware security module (HSM). At the open source summit in 2017 we have described our kernel functions and a potential approach for integrating our solution in cryptsetup. This presentation will present the actual key management solution that was accpeted upstream consisting of a combination of extenstions to cryptsetup and new tooling to manage a key repository.

In addition, this presentation will discuss the main challenges to over come in integrating HSM protected keys in to the dm-crypt framework and continue with more advanced topics in operating such disks like accessing the right HSM, providing redundant HSM access, allowing to encrypt the root partition, and management of dm-crypt keys needed when HSM master key changes.