Flatcar icon indicating copy to clipboard operation
Flatcar copied to clipboard

Published 20 hours ago verified publisher icon flatcar

[RFE] full-disk encryption leveraging systemd-cryptsetup and TPM

Open ahrkrak opened this issue 3 years ago • 12 comments

Current situation

Flatcar doesn't currently support full-disk encryption AFAIK.

Impact

  1. Without disk encryption Flatcar systems might not pass some security audit / certification requirements.
  2. Potential attack vector if someone can get hold of the physical disk inside a Flatcar machine.

Ideal future situation

Disks are encrypted, leveraging the TPM as a secret store to bind to a specific machine. We can also make it so the machine must boot up with the installed flatcar in order to access the encrypted disk (eliminating the attack vector of booting into a different OS on the machine in order to unlock the disk).

Implementation options

From systemd 248, systemd-cryptsetup supports three hardware encryption techniques including TPM based. See https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html for details.

Additional information

We should also consider removable media. While not an issue for most servers, still there is the potential attack vector of inserting a USB drive to exfiltrate data, which could be mitigated by making that drive only work when inserted into the server.

ahrkrak avatar Jan 06 '22 14:01 ahrkrak