Disk encryption on talos operating system

Thumbnail Image

Files

master_Avaznejad_Parinaz_2022.pdf (6.62 MB)

URL

Journal Title

Journal ISSN

Volume Title

Perustieteiden korkeakoulu | Master's thesis
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.

Authors

Date

2022-01-24

Department

Major/Subject

Security and Cloud Computing

Mcode

SCI3084

Degree programme

Master’s Programme in Computer, Communication and Information Sciences

Language

en

Pages

74+9

Series

Abstract

Talos is a minimal, immutable, and API-driven operating system based on the Linux kernel designed for hosting Kubernetes clusters and includes services tailored for this purpose. Talos node disk partitions contain sensitive data about the operating system and Kubernetes clusters on top of it, which must be preserved against unauthorized access. Because data exposure can result in tampering and manipulating the Talos cluster, such as gaining privileged access to the node. Therefore, encrypting the disk content and protecting the confidentiality of data is imperative for the Talos node. In the current Talos system, the key for decrypting the encrypted data is stored on a specific disk partition of the node. Thus, an adversary can access the Talos machine disk content by fetching the decryption key from the disk partition. Furthermore, he can alter the boot process's components. This thesis presents an approach, named tpm-luks-talos, to tackle the mentioned issues. It utilizes the Trusted Platform Module (TPM) on the host machine to store the decryption key and check the system integrity during the boot process. Therefore, only authorized versions of the Talos operating system and boot software can decrypt data on the encrypted disk partitions. Moreover, the thesis demonstrates unauthorized access to encrypted disks in current Talos and shows that the developed disk encryption solution works properly and protects the node disk content against an adversary that has physical access to the machine. Furthermore, the proposed solution recognizes tampering and changes in the boot software.

Description

Supervisor

Aura, Tuomas

Thesis advisor

Peylo, Martin

Keywords

disk encryption, talos operating system, trusted platform module, Kubernetes, Linux unified key setup, cloud computing

Other note

Citation

Permanent link to this item

https://urn.fi/URN:NBN:fi:aalto-202202061746

Collections

[dipl] Perustieteiden korkeakoulu / SCI