This framework integrates several tools to address a key gap in deploying fully remote, distributed, and security-sensitive appliances

The currently available resources for deploying FDE usually focus on the discrete components of FDE and don’t provide information on how to fully integrate the key production requirements (recovery, monitoring, and auto-unlocking) needed to practically roll out FDE in a remote, distributed environment. We think we’re bringing a full-featured approach to the table (as well as some new tooling) that can help other community members get FDE deployed to their own fleets.

We’d be introducing the integration of the following tooling, as well as the reasoning behind our design choices:

• Full disk encryption (LUKS)
• PCR prediction and handling of TPM key resealing - more on this below
• Key escrow and recovery (Tang & Clevis): Automated recovery and onboarding
• Monitoring (Prometheus & Node Exporter): Alerting & monitoring of devices in recovery
• Reliable networking in an pre-boot environment (netplan, NetworkManager & dracut integration)
• Extension of your own initramfs (dracut)
• VPN (Wireguard): Provides remote access in firewalled/NAT’ed environments
• Remote management (SSH)

Reliably unlocking at the next boot: introduction of our PCR prediction solution

TPM-based unlocking requires predicting the state of several system components at the next boot. If this prediction fails, the TPM won’t unlock the disk decryption key, leaving the system unbootable. It follows then that a key feature of automated disk unlocking involves the prediction of the system state, before you reboot - this process is called PCR prediction.

Systemd is building the necessary components to solve this with projects such as systemd-boot and systemd-pcrlock. Unfortunately we couldn’t get around using Grub for our bootloader, and, outside of systemd, there are very few other options to perform the PCR prediction (and none that we could get to work in our setup).

We’d like to introduce our PCR prediction solution to the community and foster collaboration to make PCR prediction easier. It’s written in Python, well documented and can be easily extended.

Provides an easily extendable framework, allowing adaptation to various environments and use cases

Every environment is unique, and it’s unlikely that you’ll be able to use our setup as-is in yours. We’re hoping to not just outline the tools we’re using, but also outline a framework that you can use to set up FDE in your own environment. We’ll also show you how to customise your initramfs - a key way to change/swap out the various components we’re going to discuss in this talk.