Fedora

Anaconda/Features/Encrypted Boot IPA key Management

From FedoraProject

Contents 1 Anaconda Encrypted Boot IPA key Management 1.1 Summary 1.2 Owner 1.3 Current status 1.4 Detailed Description 1.5 Target Audience 1.6 Product Variants / High Level Use Cases 1.7 Hardware Architectures 1.8 Testing 1.9 Third-Party Dependencies 1.10 Bugzilla Numbers

Anaconda Encrypted Boot IPA key Management

Summary

Provide enterprise-class key management support for encrypted devices

Owner

• Name: [Dave Lehman] / [Miloslav Trmač]

Current status

• Completed in F11: 70% - cryptsetup-luks changes are in, volume_key is in rawhide. Anaconda integration code was prepared, but is not applied yet.
• Last update July 27, 2009

Detailed Description

Add support for saving encryption keys (to recover access to a volume when the passphrase is forgotten, or when the user leaves a company), and for creating backup passphrases (to be disclosed to the user when the user forgets the passphrase and is on the road). See Key Management for general discussion, Disk encryption key escrow use cases for specifics.

Subtasks:

• Add two or three small packages (python-volume_key and volume_key-libs, perhaps python-nss) to the installation image
• Add two kickstart options (#508963) to pykickstart. The options specify an URL for a certificate (to use for encryption, implicitly enables key escrow) and a "create backup passphrase" flag.
• Add anaconda support: Download the specified certificates, and use the functionality provided by the *volume_key* packages and to store encryption keys or passphrases under $rootPath/root. (#510545)
• Add system-config-kickstart support for the new kickstart options; needs to integrate with other planned changes to the storage configuration GUI, blocked on those.
• Add FirstAidKit support for recovering access to encrypted voluems using the stored encryption keys

Target Audience

Enterprise customers want a means by which they can guarantee access to the data on encrypted block devices in employees' systems. This way they still have a way in if the user changes the device's keys/passphrases.

Product Variants / High Level Use Cases

Relevant to desktops/laptops particularly, but depending upon implementation may be interesting for other products as well e.g. to support encrypted databases, medical records protection.

Hardware Architectures

All

Testing

TBD but should be integrated with anaconda storage testing

Third-Party Dependencies

Cryptsetup-luks, volume_key, perhaps python-nss, and anaconda interdependencies

Bugzilla Numbers

• See Bug 458392 - [RFE] luks: add support for admin keyslot for the prereq from an anaconda POV

Note: The above description does not address the "admin keyslot" requirement. This remains an useful feature, does anybody own it?

• Bug 488718 - (encrypted_LVM) Support for encrypted LVs in LVM2 & key management (tracker) for a description of work in progress
• Bug 508960 - tracker for all key escrow work
• Bug 508963 - Add key escrow options to pykickstart
• Bug 510545 - (anaconda) RFE: encryption key escrow support
• Bug 508967 - (system-config-kickstart) RFE: encryption key escrow support

---

© 2009 Red Hat, Inc. and others. For comments or queries, please contact us.

The Fedora Project is maintained and driven by the community and sponsored by Red Hat. This is a community maintained site. Red Hat is not responsible for content.

• This page was last modified on 27 July 2009, at 14:42.
• This page has been accessed 3,310 times.
• Content is available under Attribution-Share Alike 3.0 Unported.

• Privacy policy
• About FedoraProject
• Disclaimers
• Sponsors
• Legal
• Trademark Guidelines