N E T W O R K - B O U N D D I S K E N C R Y P T I O...
Transcript of N E T W O R K - B O U N D D I S K E N C R Y P T I O...
![Page 1: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/1.jpg)
NETWORK-BOUNDNETWORK-BOUNDDISK ENCRYPTIONDISK ENCRYPTIONNYRHUG Monthly Meeting - February 2020
http://people.redhat.com/pladd
Patrick Ladd Technical Account Manager FSI [email protected]
![Page 2: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/2.jpg)
Booting...
Disk Password: █
![Page 3: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/3.jpg)
Booting...
Disk Password: █
Booting...
Disk Password: █
![Page 4: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/4.jpg)
Booting...
Disk Password: █
Booting...
Disk Password: █
Booting...
Disk Password: █Booting...
Disk Password: █
![Page 5: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/5.jpg)
Booting...
Disk Password: █
Booting...
Disk Password: █
Booting...
Disk Password: █Booting...
Disk Password: █
Booting...
Disk Password: █
Booting...
Disk Password: █Booting...
Disk Password: █
![Page 6: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/6.jpg)
Standards (AES, PCI-DSS, etc.)
YESTERDAYYESTERDAY
Automation
TODAYTODAY
Policy
TOMORROWTOMORROW
![Page 7: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/7.jpg)
HOW DO WE AUTOMATE?HOW DO WE AUTOMATE?
![Page 8: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/8.jpg)
Shh... I'm Secret!
![Page 9: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/9.jpg)
Encryption Key
Shh... I'm Secret!
![Page 10: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/10.jpg)
Key Encryption KeyEncryption Key
Shh... I'm Secret!
![Page 11: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/11.jpg)
Key Encryption KeyEncryption Key
Shh... I'm Secret!
"correct battery horse staple"
![Page 12: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/12.jpg)
Key Encryption KeyEncryption Key
Shh... I'm Secret!
"correct battery horse staple"
STANDARD PASSWORD MODELSTANDARD PASSWORD MODEL
![Page 13: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/13.jpg)
Key Encryption KeyEncryption Key
Shh... I'm Secret!
"d41d8cd9...ecf8427e"
Escrow
STANDARD ESCROW MODEL?STANDARD ESCROW MODEL?
![Page 14: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/14.jpg)
Key Encryption KeyEncryption Key
Shh... I'm Secret!
"d41d8cd9...ecf8427e"
Escrow
TLS / GSSAPI
STANDARD ESCROW MODEL?STANDARD ESCROW MODEL?
![Page 15: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/15.jpg)
Key Encryption KeyEncryption Key
Shh... I'm Secret!
"d41d8cd9...ecf8427e"
Escrow
TLS / GSSAPI
STANDARD ESCROW MODEL?STANDARD ESCROW MODEL?
![Page 16: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/16.jpg)
Key Encryption KeyEncryption Key
Shh... I'm Secret!
"d41d8cd9...ecf8427e"
Escrow
TLS / GSSAPI
STANDARD ESCROW MODEL?STANDARD ESCROW MODEL?
![Page 17: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/17.jpg)
Key Encryption KeyEncryption Key
Shh... I'm Secret!
"d41d8cd9...ecf8427e"
Escrow
TLS / GSSAPI
STANDARD ESCROW MODEL?STANDARD ESCROW MODEL?
KDC/CA
![Page 18: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/18.jpg)
Key Encryption KeyEncryption Key
Shh... I'm Secret!
"d41d8cd9...ecf8427e"
Escrow
TLS / GSSAPI
STANDARD ESCROW MODELSTANDARD ESCROW MODEL
KDC/CA
Backups
![Page 19: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/19.jpg)
Key Encryption KeyEncryption Key
Shh... I'm Secret!
"d41d8cd9...ecf8427e"
Escrow
TLS / GSSAPI
STANDARD ESCROW MODELSTANDARD ESCROW MODEL
KDC/CA
Backups
HEARTBLEED
![Page 20: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/20.jpg)
LESSONS LEARNEDLESSONS LEARNEDPresuming TLS will protect key transfer is dangerousComplexity increases attack surfaceEscrows are difficult to deployX.509 is hard to get right
![Page 21: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/21.jpg)
ASYMMETRIC CRYPTO?ASYMMETRIC CRYPTO?
![Page 22: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/22.jpg)
![Page 23: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/23.jpg)
(EC) DIFFIE-HELLMAN KEY EXCHANGE(EC) DIFFIE-HELLMAN KEY EXCHANGE
S ∈ R [1, p − 1]
s = gS
⟵ s
C ∈ R [1, p − 1]
c = gC
c ⟶
K = gCS = cSK = gSC = sC
![Page 24: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/24.jpg)
BINDING WITH ECDH (INSECURE)BINDING WITH ECDH (INSECURE)
S ∈ R [1, p − 1]
s = gS
⟵ s
C ∈ R [1, p − 1]
c = gC
K = gSC = sC
PROVISIONINGPROVISIONING RECOVERYRECOVERY
Discard : K,C
c ⟶
K = xS
⟵ K
Retain : s, cWeaknesses:
Resolved: c MUST be private
1 K is revealed to a passive attacker.
2 With c, the passive attacker can get K.
3 Server learns c and therefore K.
![Page 25: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/25.jpg)
MCCALLUM-RELYEA KEY EXCHANGEMCCALLUM-RELYEA KEY EXCHANGE
S ∈ R [1, p − 1]
s = gS
⟵ s
C ∈ R [1, p − 1]
c = gC
K = gSC = sC
PROVISIONINGPROVISIONING RECOVERYRECOVERY
E ∈ R [1, p − 1]
Discard : K,C
x = c + e
x ⟶
y = xS
⟵ y
K = y − sE
Because : K = gCS + gES − gSERetain : s, c
e = gE
To keep c private, e & E MUST be private.
![Page 26: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/26.jpg)
Key Encryption KeyEncryption Key
Shh... I'm Secret!
Server
MR Exchange
![Page 27: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/27.jpg)
Key Encryption KeyEncryption Key
Shh... I'm Secret!
Server
MR Exchange
Crypto HW
![Page 28: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/28.jpg)
Property Escrow MR Exchange
Server presence during provisioning Required Optional
Server presence during recovery Required Required
Server knowledge of keys Required None
Key transfer Required None
Client authentication Required Optional
Transport encryption Required Optional
End-to-end Encryption Difficult Unneeded
![Page 29: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/29.jpg)
TANGTANGhttps://github.com/latchset/tangServer-side daemonSimple: HTTP + JOSEFast (>2k req/sec)Extremely smallMinimal dependenciesRHEL 7.4
![Page 30: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/30.jpg)
$ sudo yum install tang
$ sudo systemctl enable now tangd.socket
INSTALLING A TANG SERVERINSTALLING A TANG SERVER
![Page 31: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/31.jpg)
CLEVISCLEVIShttps://github.com/latchset/clevis/Decryption automation and policy frameworkMinimal dependenciesEarly boot integrationGNOME integrationRHEL 7.4
![Page 32: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/32.jpg)
$ yum install clevis
$ echo redhat | clevis encrypt tang '{"url":"http://localhost"}' > mydata.jwe
The advertisement is signed with the following keys:
haD7Y8VkAyJo6vdZMrGQXCSfI
Do you wish to trust the advertisement? [yN] y
$ cat mydata.jwe
{"ciphertext":"O59czAqybvxHdme2t3I5A", ...}
$ clevis decrypt < mydata.jwe
redhat
$ systemctl stop tangd.socket
$ clevis decrypt < mydata.jwe
$ echo $?
1
BASIC ENCRYPTION WITH TANG / LUKSV1BASIC ENCRYPTION WITH TANG / LUKSV1
![Page 33: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/33.jpg)
$ clevis bind luks d /dev/sda1 tang '{"url":"http://tang.srv"}'
The advertisement is signed with the following keys:
haD7Y8VkAyJo6vdZMrGQXCSfI
Do you wish to trust the advertisement? [yN] y
Enter passphrase for /dev/sda1:
$ luksmeta show d /dev/sda1
0 active empty
1 active cb6e890481ff40daa84a07ab9ab5715e
2 inactive empty
3 inactive empty
...
# For root volume unlocking at boot:
$ yum install clevisdracut
$ dracut f
$ reboot
# For removable storage GNOME unlocking:
$ yum install clevisudisks2
DISK BINDING WITH TANGDISK BINDING WITH TANG
![Page 34: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/34.jpg)
[root@nbde7 ~]$ ip route
default via 192.168.122.1 dev eth0
default via 192.168.122.1 dev eth0 proto dhcp metric 100
192.168.122.0/24 dev eth0 proto kernel scope link src 192.168.122.170
192.168.122.0/24 dev eth0 proto kernel scope link src 192.168.122.170 metric 100
KNOWN ISSUESKNOWN ISSUES
dracut / NetworkManager integration problems
Active BZ with fix pendingShouldn't hurt in most cases, but it looks bad
![Page 35: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/35.jpg)
FROM AUTOMATION TO POLICYFROM AUTOMATION TO POLICY
Standards (AES, PCI-DSS, etc.)
YESTERDAYYESTERDAY
Automation
TODAYTODAY
Policy
TOMORROWTOMORROW
![Page 36: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/36.jpg)
SHAMIR SECRET SHARINGSHAMIR SECRET SHARING
threshold = ?
![Page 37: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/37.jpg)
SHAMIR SECRET SHARINGSHAMIR SECRET SHARING
threshold = ? threshold = ?
![Page 38: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/38.jpg)
SIMPLE LAPTOPSIMPLE LAPTOP
unlock?
Admin Password
User Password
threshold = 1
![Page 39: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/39.jpg)
AUTOMATED LAPTOPAUTOMATED LAPTOP
unlock?
Admin Password
User Password
threshold = 1
Tang
![Page 40: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/40.jpg)
HIGH SECURITY SYSTEMHIGH SECURITY SYSTEM
unlock?
User Password
User Password
threshold = 2
User Password
![Page 41: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/41.jpg)
COMPLEX LAPTOP POLICYCOMPLEX LAPTOP POLICY
unlock? QR Codethresh. = 1
SSS TPMthresh. = 2
SSSthresh. = 2
Password
Yubikey
Tang
Bluetooth
![Page 42: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/42.jpg)
$ echo PT | clevis encrypt sss \
'{"pins": {"tang": [{"url": "http://a.tang.srv"}, {"url": "http://b.tang.srv"}]}, "t": 1}' \
> out.jwe
The advertisement is signed with the following keys:
haD7Y8VkAyJo6vdZMrGQXCSfI
Do you wish to trust the advertisement? [yN] y
The advertisement is signed with the following keys:
EdpESShUx4_95kGtDTsCBbPag
Do you wish to trust the advertisement? [yN] y
$ clevis decrypt < out.jwe
PT
# Bring Down Tang Server A
$ clevis decrypt < out.jwe
PT
# Bring Down Tang Server B
$ clevis decrypt < out.jwe
$ echo $?
1
BASIC SHAMIR'S WITH TANGBASIC SHAMIR'S WITH TANG
![Page 43: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/43.jpg)
EXPLORING THE ECOSYSTEMEXPLORING THE ECOSYSTEM
![Page 44: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/44.jpg)
DEPENDENCY: JOSÉDEPENDENCY: JOSÉhttps://github.com/latchset/joseJSON Object Signing and EncryptionC Library & Command Line UtilityBottom Line: User-Friendly, Standards Compliant Crypto
$ jose jwk gen i '{"alg": "A128GCM"}' o oct.jwk $ jose jwk gen i '{"alg": "RSA1_5"}' o rsa.jwk $ jose jwk gen i '{"alg": "ES256"}' o ec.jwk
$ echo hi | jose jwe enc i k rsa.pub.jwk o msg.jwe
$ jose jwe dec i msg.jwe k rsa.jwk
hi
$ jose jwe dec i msg.jwe k oct.jwk
Decryption failed!
$ echo hi | jose jws sig i k ec.jwk o msg.jws
$ jose jws ver i msg.jws k ec.pub.jwk
hi
$ jose jws ver i msg.jws k oct.jwk
No signatures validated!
![Page 45: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/45.jpg)
DEPENDENCY: LUKSMETADEPENDENCY: LUKSMETAhttps://github.com/latchset/luksmetaStore metadata in LUKSv1 header gapC library & Command Line Utility
$ echo hi | luksmeta save d /dev/sdc1 s 2 u EC998562B60D47F0A579DCA8C12F5BF6
$ luksmeta load d /dev/sdc1 s 2 u EC998562B60D47F0A579DCA8C12F5BF6
hi
$ luksmeta load d /dev/sdc1 s 2 u 12618962A1E548F1B327D7C60E20FC02
Slot contains different UUID
![Page 46: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/46.jpg)
JOSÉJOSÉPKCS#11 SupportPython BindingsAdditional crypto backendsAdditional algorithms
CLEVISCLEVISPassword PinPKCS#11 Pin (including, in the future, TPM)Ext4 encryption support
TANGTANGBinding IDs (Optional; sacrifices anonymity)Revocation (requires Binding IDs)
FUTUREFUTUREFEATURESFEATURES
![Page 47: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/47.jpg)
![Page 48: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/48.jpg)
![Page 49: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/49.jpg)
DEMODEMO
![Page 50: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/50.jpg)
RESOURCESRESOURCES
RHEL 7:
RHEL 8:
Multi-device setup
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Network-Bound_Disk_Encryption.html
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening
https://access.redhat.com/articles/4500491
![Page 51: N E T W O R K - B O U N D D I S K E N C R Y P T I O Npeople.redhat.com/pladd/NYRHUG_NBDE_2020-02.pdfD I S K B I N D I N G W I T H TA N G [root@nbde7 ~]$ ip route default via 192.168.122.1](https://reader034.fdocuments.us/reader034/viewer/2022052100/603a16c2cad5173d42430f41/html5/thumbnails/51.jpg)
QUESTIONS?QUESTIONS?