2025-06-21 –, Track 3 (Moody Rm. 102)
As we push things like Kubernetes clusters to edge installations for reduced latency and increased availability, how protected are they against crowbar theft? Encrypting their disks reduces these risks, but then you discover corner cases in production where your servers aren't automatically decrypting, and you've effectively DoSed yourself. Oops. We'll explore an alternative with network-based decryption without escrow or proprietary hardware using the Open Source Linux tools Tang and Clevis.
Join us as we explore Tang & Clevis, a suite of Open Source tools that automagically decrypt Linux boot volumes without escrow or requiring black magic TPM configurations. These tools are useful for protecting data-at-rest in edge installations, servers in data centers, on premise or in clouds. We'll explore the state of data-at-rest encryption, the ways its commonly done and their pitfalls, and the pros and cons of Tang and Clevis along with a high-level investigation of its more advanced configurations, alternatives involving TPM2 and if the stars align properly, a live demo with physical props.
Matt has been involved with all things Security, Open Source and Linux since before they were cool. He's worked with everything from Fortune 100's and Wall Street Fintech firms to a tropical fish wholesaler. When not working tech, hiking or bicycling, he enjoys geeking out with symphonies, prog rock, jazz, bluegrass and whatever else tickles his melodic, harmonic and rhythmic fancy, because it don't mean a thing if it ain't got that certain je ne sais quoi. Matt holds CISSP & CISA certifications and is currently serving as the President of the Capitol of Texas chapter of the Information Systems Security Association in Austin.