zos icon indicating copy to clipboard operation
zos copied to clipboard
verified publisher icon threefoldtech

storage: investigate volume encryption

Open muhamadazmy opened this issue 6 years ago • 2 comments

muhamadazmy avatar Oct 28 '19 13:10 muhamadazmy

This become a real concern now since system is more and more used.

Here is a proposal, based on schema already used by well known system (eg: iOS).

The idea is to use two key: one for disk encryption and one for keychain encryption.

In practice, we should have a partition encrypted with a user-key, let's call that partition keychain. This partition will contains all sensitive data (can be keys, seed, ...).

Each disk present on the system will be encrypted with a generated key, on the first run. Theses keys are stored on the keychain partition.

This have couple advantages:

  • Encryption are based on the user-key
  • You can change the user-key without re-encrypt all disks
  • You can quickly « erase » disk by just deleting the keychain, full disk write is not needed

In a first step, the user-key will be hardcoded, just to have system in place quickly. In a second phase, this user-key will be fetched via a secure way we can discuss later, but at least half of the security schema will be already in place.

maxux avatar Jul 14 '21 11:07 maxux

It seems that we might want to evaluate this w.r.t. #1319

LeeSmet avatar Jul 26 '21 13:07 LeeSmet