Hi
user
Admin Login:
Username:
Password:
Name:
Clevis and Tang: securing your secrets at rest
--client
lca
--show
lca2020
--room room_8 15185 --force
Next: 1 It's All About Timing
show more...
Marks
Author(s):
Fraser Tweedale
Location
Room 8
Date
jan Wed 15
Days Raw Files
Start
14:25
First Raw Start
error-in-template
Duration
0:45:0
Offset
None
End
15:10
Last Raw End
Chapters
Total cuts_time
None min.
https://lca2020.linux.org.au/schedule/presentation/29/
raw-playlist
raw-mp4-playlist
encoded-files-playlist
mp4
svg
png
assets
release.pdf
Clevis_and_Tang_securing_your_secrets_at_rest.json
logs
Admin:
episode
episode list
cut list
raw files day
marks day
marks day
image_files
State:
---------
borked
edit
encode
push to queue
post
richard
review 1
email
review 2
make public
tweet
to-miror
conf
done
Locked:
clear this to unlock
Locked by:
user/process that locked.
Start:
initially scheduled time from master, adjusted to match reality
Duration:
length in hh:mm:ss
Name:
Video Title (shows in video search results)
Emails:
email(s) of the presenter(s)
Released:
has someone authorised pubication
Unknown
Yes
No
Normalise:
Channelcopy:
m=mono, 01=copy left to right, 10=right to left, 00=ignore.
Thumbnail:
filename.png
Description:
markdown
Full disk encryption and, more generally, encryption of secrets at rest are essential tools in the security toolbox. But deploying encryption at rest can have costs: latency (downtime), repetition (productivity loss), proneness to error (typos; "was that '1' or 'l'?"), challenges in supplying a passphrase when needed (e.g. headless systems). Automated decryption often relies on delivery of escrowed keys (a third party knows your secret). We can do better. _Tang_ [1] is a protocol and (along with the client-side program _Clevis_ [2]) software implementation of *network bound encryption*; that is, automatic decryption of secrets when a client has access to a particular server on a secure network. It uses McCallum-Relyea exchange, a two-party key computation protocol based on Diffie-Hellman where only the client can compute the key! _Clevis_ [2] uses the amazing *Shamir's Secret Sharing* algorithm to implement unlock policies with thresholds that can include passphrases, Tang servers and TPM-sealed secrets. In this talk I will outline the use cases, explain the algorithms and demonstrate these tools. The live demo will set up a machine to automatically decrypt a LUKS volume when a required number of Tang servers are available. I will conclude with a discussion of limitations, assumptions and threats. [1] https://github.com/latchset/tang [2] https://github.com/latchset/clevis
Comment:
production notes
Rf filename:
root is .../show/dv/location/, example: 2013-03-13/13:13:30.dv
Sequence:
get this:
check and save to add this
Veyepar
Video Eyeball Processor and Review