Disk encryption on talos operating system

Abstract

Talos is a minimal, immutable, and API-driven operating system based on the Linux kernel designed for hosting Kubernetes clusters and includes services tailored for this purpose. Talos node disk partitions contain sensitive data about the operating system and Kubernetes clusters on top of it, which must be preserved against unauthorized access. Because data exposure can result in tampering and manipulating the Talos cluster, such as gaining privileged access to the node. Therefore, encrypting the disk content and protecting the confidentiality of data is imperative for the Talos node. In the current Talos system, the key for decrypting the encrypted data is stored on a specific disk partition of the node. Thus, an adversary can access the Talos machine disk content by fetching the decryption key from the disk partition. Furthermore, he can alter the boot process's components. This thesis presents an approach, named tpm-luks-talos, to tackle the mentioned issues. It utilizes the Trusted Platform Module (TPM) on the host machine to store the decryption key and check the system integrity during the boot process. Therefore, only authorized versions of the Talos operating system and boot software can decrypt data on the encrypted disk partitions. Moreover, the thesis demonstrates unauthorized access to encrypted disks in current Talos and shows that the developed disk encryption solution works properly and protects the node disk content against an adversary that has physical access to the machine. Furthermore, the proposed solution recognizes tampering and changes in the boot software.