Automatic data encryption and decryption with Clevis and Tang

Passing Secrets

The device mapper with the dm-crypt target [1] and the Linux Unified Key Setup (LUKS) [2] extension are normally used to encrypt entire hard disks under Linux. Both components can easily handle any kind of block devices. Therefore, it does not matter whether the device to be encrypted is a hard disk, an LVM volume, or a USB stick. LUKS usually uses a 256-bit AES key that is protected with a passphrase to encrypt the data. If required, several of these passphrases can be stored in the LUKS metadata, which enables access to the key that decodes the data again.

To discover how many of these keys exist for a device and to add new keys, you call:

cryptsetup luksDump <LUKS device>
cryptsetup luksAddKey <LUKS device>

Each key is stored in its own key-slot, or a total of eight areas.

Users need to enter the passphrases manually, which is inconvenient. For example, if the root volume of a computer is encrypted, the system does not start until one of the previously defined passphrases has been entered. In this article, I show you how to automate this process.

Managing Secrets

Vaults are typically used to store and manage all kinds of secrets; they primarily serve as key escrows. If a secret is lost, it can be recovered through an escrow service. The terms "vault" and "key escrow" are merely modern terms for a data storage device that stores particularly sensitive data, such as passwords, certificates, or tokens. In most cases, an API is available for accessing such a service. One well-known representative of these data storage devices is HashiCorp Vault [3].

However, vaults have many problems. No one would want a secret stored in a vault to be transferred between the

Buy this article as PDF

Express-Checkout as PDF

Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES

Print Issues

Digital Issues

 

SUBSCRIPTIONS

Print Subs

Digisubs

 

TABLET & SMARTPHONE APPS

US / Canada

UK / Australia