Using Hardware Security Modules to Protect Block Devices

Explore the critical aspects of data protection using Hardware Security Modules (HSMs) in this comprehensive conference talk by Reinhard Buendgen from IBM. Delve into various attack points for data-at-rest and learn effective strategies for safeguarding against offline attacks. Examine the concept of end-to-end data encryption and understand the Linux File System Stack with dm-crypt. Address the challenge of protecting encryption keys and discover methods for generating protected keys. Gain insights into kernel support for protected keys through the pkey and PAES modules. Learn about dm-crypt volume management with secure keys and the process of HSM Master Key change. Investigate the application of HSM master keys for dm-crypt volume keys and explore ideas for extending zkey functionality. This talk provides valuable knowledge for IT professionals and security experts looking to enhance their understanding of block device protection using HSMs.

Intro
Attack points to data-at-rest
Protecting data against offline attacks
End-to-end data encryption
Linux File System Stack with dm-crypt
Protecting Encryption Keys: Catch 22?
How to Generate Protected Keys
Kernel support for protected keys: the pkey module
Kernel support for protected keys: the PAES module
Dm-crypt volume management with secure keys
HSM Master Key Change
HSM master key for dm-crypt volume keys
Extending the PAES trick to further functions
Ideas for extending zkey