Enterprise Linux

 View Only

Remotely Wrapping Encrypted Volume Passphrases with HPCS for LUKS

By George Wilson posted Tue October 04, 2022 03:58 PM

  
The IBM Linux Technology Center Security Team has developed a proof-of-concept integration between Linux Unified Key Setup (LUKS) and IBM Hyper Protect Crypto Services (HPCS) Key Protect called HPCS for LUKS.  The integration package facilitates the establishment of a remote wrapping key in HPCS that is in turn used to encrypt locally stored LUKS passphrases.  At boot time, a systemd unit fetches the remote wrapping key, decrypts the LUKS passphrases, populates the kernel keyring with the passphrases, and subsequent systemd processing decrypts encrypted volumes and mounts them transparently.  The primary use case for HPCS for LUKS is to effect a remote "kill switch" for encrypted volumes via user-supplied key material.  To learn more, please see the article I cowrote with Sandeep Batta here:  https://developer.ibm.com/tutorials/protect-luks-encryption-keys-with-ibm-cloud-hyper-protect-crypto-services/
0 comments
467 views

Permalink