D2wn at 03:33, 31 October 2025

2025-10-31T03:33:32Z

← Older revision		Revision as of 03:33, 31 October 2025
Line 3:		Line 3:
	### Refresher: Disk Encryption		### Refresher: Disk Encryption
	### On Linux usually use Linux Unified Key System (LUKS)		### On Linux usually use Linux Unified Key System (LUKS)
	#### See: Noah's LUKS presentation (~~LINK~~ ~~HERE~~)		#### See: Noah's LUKS presentation ([[Minutes 2025-10-02]])
	### Why?		### Why?
	### Protects data against unauthorized access		### Protects data against unauthorized access

D2wn: added Meeting Minutes category tag

2025-10-31T03:32:56Z

added Meeting Minutes category tag

← Older revision		Revision as of 03:32, 31 October 2025
Line 100:		Line 100:
	### Allows for unattended unlocking, improves practicality of FDE systems		### Allows for unattended unlocking, improves practicality of FDE systems
	### Tang/Clevis and Mandos		### Tang/Clevis and Mandos
			[[Category:Meeting Minutes]]

D2wn: initial commit

2025-10-31T03:32:37Z

initial commit

New page

# Network Bound Disk Encryption by Simone!
## Background
### Refresher: Disk Encryption
### On Linux usually use Linux Unified Key System (LUKS)
#### See: Noah's LUKS presentation (LINK HERE)
### Why?
### Protects data against unauthorized access
#### AKA Theft/Loss
### Nice when decommissioning hardware
#### Peace of mind that the data is inaccessible
### However, typically requires a password to unlock
#### Does not work when rebooting remote servers
## What about TPM?
### Can allow for automatic unlocking of disk
### But... security issues
#### Key sniffing attacks
#### Backdoor concerns
##### TPMs made by third-party manufacturers
#### fTPM
##### Potentially vulnerable to firmware attacks
### Not always available on all hardware platforms
## This leads into Network Bound Disk Encryption
### Don't have to manually enter password
### Typically involves a keyserver
### Allow decryption under some circumstances
#### On a trusted network, during a time interval, etc
### Clevis/Tang
#### Pushed by RedHat, but Distro agnostic
#### Clevis = Key retrieval for LUKS volumes
#### Tang = Stateless HTTP endpoint for Clevis
#### Because stateless, prevents sniffing/replay attacks on a network
#### Supports root and secondary devices
### Mandos
#### Older, less well-known
#### Specific to Ubuntu(/Debian)
#### Stateful, stores secret on the server
#### Uses TLS
#### Time-based, checks if a client goes offline
#### Root filesystem only
#### Refuses to send decryption key if device has been offline for too long
##### Protect against tampering/lost devices being turned on again
## How it works
### Key exchange to get decryption key
### LUKS volume can still be decrypted with a password, if manual maintenance is ever required or the keyserver breaks
## Live Demo!
### Two VMs
#### Client and Server
### Can reboot client
#### Boots into initramfs
##### Gets IP via DHCP
##### Connects to Tang server
##### Received needed secrets, continues boot process
### Wireshark capture of client booting
#### Data is transmitted via JSON over HTTP
#### Data is ephemeral, not useful beyond this current initial session
### Multiple keyslots to decrypt the LUKS volume
#### Keyslot 0 = Decrypted with a password (for manual decryption)
#### Keyslot 1 = Used by Clevis for the network-bound decrypt
## Common implementations
### Headless servers
### Remote offices
### Devices spread across wide geographical regions
### Cloud/VM environments
#### Allow each guest to have its own encryption rather than managed at the hypervisor-level
## Security
### Clevis/Tang
#### Designed for a trusted network
#### McCallum-Relyea key exchange means data is meaningless to an attacker
## NBDE over the internet is possible
### Clevis can use HTTPS
### Mandos uses TLS
### However, more common to just run it through a site-to-site VPN
#### Also reduces your infrastructure's attack service
##### Only the VPN port is exposed to the internet rather than Clevis
## Limitations
### Requires Server and client have network connection and be available at the same time
#### Server outage means clients can't get their decryption keys
#### Can run redundant Tang/Mandos servers ti be keyservers for each other
### Linux-only
#### Windows apparently has a similar feature in Windows AD with Bitlocker
#### Obscure and extremely limited
### No user authentication
### Live attacks
### Freezing DIMMs to read memory contents and extract key content
#### Mitigated by encrypting RAM contents
### Consider your threat model/attacker
#### Works against the common thief/burglar
#### Maybe not against a nation state adversary, but you'll have bigger problems to worry about
## Future extensions
### MFA authentication
#### Tang+TPM for dual control
#### Security keys/smartcards
### More user-friendly UX/interfaces
### Direct VPN integration
#### Wireguard tunnel inside initramfs for encryption-across-internet use-cases
### Support beyond just LUKS
#### ZFS/Bitlocker/FileVault?
#### Realistically integration extremely unlikely, especially knowing Apple (in this case, for FileVault)
## Summary
### Allows for unattended unlocking, improves practicality of FDE systems
### Tang/Clevis and Mandos

Minutes 2025-10-30 - Revision history

D2wn at 03:33, 31 October 2025

D2wn: added Meeting Minutes category tag

D2wn: initial commit