Authenticated and Encrypted Storage on Embedded Linux

Explore authenticated and encrypted storage solutions for embedded Linux systems in this 34-minute conference talk. Gain insights into various kernel-provided building blocks, including dm-crypt, dm-verity, dm-integrity, fscrypt, ecryptfs, IMA/EMV, fsverity, and UBIFS authentication. Understand the trade-offs and limitations of cryptographic tools to select the most appropriate combination for your project. Discover how storage design impacts performance, security, and development ease, and learn to make informed decisions early in the project lifecycle. Delve into mature and recently implemented mechanisms, focusing on their suitability for specific embedded use cases. Cover topics such as the Linux storage stack, transparent authentication and encryption, crypto refresher, master key storage, recovery options, and field return mode. Receive practical recommendations to optimize your embedded Linux storage implementation.

Intro
Linux Storage Stack
Transparent Authentication and Encryption
Quick Crypto Refresher
Overview
dm-verity (since 2012, v3.4)
dm-integrity (since 2017, v4.12)
dm-crypt with authentication
fsverity (since 2019, v5.4)
UBIFS Authentication (since 2018, v4.20)
Master Key Storage
Recovery: Split RO and RW?
Field Return Mode
Recommendations