Transparent Disk Encryption

This talk is about (mostly) transparent disk encryption for protecting the data on disk, with unattended unlocking on boot as long as the system integrity is verified. This allows various levels of tamper detection and protection against unauthorized access, while still providing similar convenience and ease of use as plain installations.

Several components like TPMs, LUKS(2), systemd-cryptenroll are evaluated, explaining how they work, how to use them and how they can fit together in a system. Weak spots to look out for, possible attacks on the system and mitigations against those are part of the talk as well.

Various approaches to handle issues like system verification after update installation and rollbacks are outlined and brought up to discussion.

Speaker: Fabian Vogt