This course teaches how to securely unlock LUKS volumes at boot using a network-based service, maintaining encrypted data at rest. The learning outcomes include understanding LUKS volume encryption, Clevis automated encryption framework, Tang server installation, and key recovery. The course aims to equip learners with the skills to set up and trust Clevis, initialize LUKS metadata, add LUKS keys, and complete the decryption process. The teaching method involves a demonstration of the solution to the problem, with a focus on practical implementation. The intended audience for this course includes system administrators, IT professionals, and individuals interested in enhancing data security on Linux systems.
Overview
Syllabus
Intro
USE CASE
BUT... DATA CENTERS ARE COMPLEX BEASTS
WHAT I DON'T WANT
ENVIRONMENT DEPENDENT DECRYPTION
TANG AND CLEVIS
TANG API
LUKS VOLUME ENCRYPTION
LUKS VOLUME LAYOUT
CLEVIS AUTOMATED ENCRYPTION FRAMEWORK
CLEVIS LUKS SETUP CLEVIS LUKS-BINO COMMAND BREAKDOWN
CLEVIS LUKS-BIND CLEVIS ENCRYPT
KEY RECOVERY
TANG SERVER INSTALL
TANG SERVER KEYS
CLEVIS SETUP INSTALLATION
SETUP AND TRUST
CLEVIS INITIALIZE LUKS METADATA
CLEVIS ADD LUKS KEY
FINAL STEP
Taught by
USENIX
