LKML on LUKS 路 Jasper's latest attempt at blogging

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link rel="stylesheet" type="text/css" href="./theme/css/elegant.prod.9e9d5ce754.css" media="screen"> <link rel="stylesheet" type="text/css" href="./theme/css/custom.css" media="screen"> <link rel="dns-prefetch" href="//fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com/" crossorigin> <meta name="author" content="Jasper Spaans" /> <meta property="og:type" content="article" /> <meta name="twitter:card" content="summary"> <meta name="keywords" content="lkml, LUKS, GDPR, lkml, " /> <meta property="og:title" content="LKML on LUKS "/> <meta property="og:url" content="./lkml-luks.html" /> <meta property="og:description" content="Why would lkml.org even use LUKS?" /> <meta property="og:site_name" content="Jasper's latest attempt at blogging" /> <meta property="og:article:author" content="Jasper Spaans" /> <meta property="og:article:published_time" content="2023-12-12T02:37:56+00:00" /> <meta property="og:article:modified_time" content="2023-12-12T02:37:56+00:00" /> <meta name="twitter:title" content="LKML on LUKS "> <meta name="twitter:description" content="Why would lkml.org even use LUKS?"> <title>LKML on LUKS 路 Jasper's latest attempt at blogging </title> <link href="https://blog.jasper.es/feeds/all.atom.xml" type="application/atom+xml" rel="alternate" title="Jasper's latest attempt at blogging - Full Atom Feed" />  <script> var _paq = window._paq = window._paq || []; _paq.push(['trackPageView']); (function() { var u="//m.lkml.org/"; _paq.push(['setTrackerUrl', u+'matomo.php']); _paq.push(['setSiteId', '3']); var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s); })(); </script>  </head> <body> <div id="content"> <div class="navbar navbar-static-top"> <div class="navbar-inner"> <div class="container-fluid"> <a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse"> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </a> <a class="brand" href="./"><span class=site-name>Jasper's latest attempt at blogging</span></a> <div class="nav-collapse collapse"> <ul class="nav pull-right top-menu"> <li > <a href= . >Home</a> </li> <li ><a href="./categories.html">Categories</a></li> <li ><a href="./tags.html">Tags</a></li> <li ><a href="./archives.html">Archives</a></li> <li><form class="navbar-search" action="./search.html" onsubmit="return validateForm(this.elements['q'].value);"> <input type="text" class="search-query" placeholder="Search" name="q" id="tipue_search_input"></form></li> </ul> </div> </div> </div> </div> <div class="container-fluid"> <div class="row-fluid"> <div class="span1"></div> <div class="span10"> <article itemscope> <div class="row-fluid"> <header class="page-header span10 offset2"> <h1> <a href="./lkml-luks.html"> <span class="caps">LKML</span> on <span class="caps">LUKS</span> </a> </h1> </header> </div> <div class="row-fluid"> <div class="span8 offset2 article-content"> <p>When <a class="reference external" href="https://lkml.org/">https://lkml.org/</a> went down recently, I initially thought this had to do with the fact that the machine that was hosting it at the time was configured to use full disk encryption (<span class="caps">FDE</span>). No mechanism has been configured to provide it with the crypto key automatically, which means that rebooting such a machine requires a manual step.</p> <p>This led to a <a class="reference external" href="https://www.reddit.com/r/linux/comments/7pqyva/lkmlorg_is_down_because_its_hosted_at_one_guys/dsji97c/">question on reddit</a> “why a machine which hosts a public visible mailinglist need[s] an encrypted drive?” There are several reasons why I’m using <a class="reference external" href="https://gitlab.com/cryptsetup/cryptsetup/wikis/home"><span class="caps">LUKS</span></a> on this machine.</p> <p>Basically using <span class="caps">FDE</span> in my mind should be a default, and if it is not being used, there should be a good reason for it. This might be caused by the fact that I have been working at a <a class="reference external" href="https://www.fox-it.com/"><span class="caps">IT</span> security company</a> for most of this decade, and am now working at <a class="reference external" href="https://www.startmail.com/">StartMail</a>, an email provider that focusses on privacy. In both these environments, due to the nature of the data being processed, there should never be plaintext data being stored on disks - it is just considered basic digital hygiene, and I try to apply it to all data I store.</p> <p>However, even though I think it is a good idea, this is not a very satifsying reason as it comes down to “I use <span class="caps">LUKS</span> because I always use <span class="caps">LUKS</span>.”</p> <p>Here are two stronger arguments for using <span class="caps">LUKS</span> in this specific case:</p> <ol class="arabic"> <li><p class="first">The machine on which <a class="reference external" href="https://lkml.org/">https://lkml.org/</a> was hosted is also used to host other VMs and data. Examples of these include VMs with my pet projects, but also my private mail <a class="footnote-reference" href="#footnote-1" id="footnote-reference-1">[1]</a> and backups of my other machines and photographs.</p> <p>So, one reason I use <span class="caps">LUKS</span> is that there is private data on that machine that should not fall into the wrong hands.</p> <p>You might ask if that is an actual risk? It is - I’ve had several drives fail on me in the last years under warranty, and I’ve been able to just pull them out of the machine and send them back to the shop or manufacturer without having to do a round of wiping, because I know that the data is encrypted securely. I hope those disks will not be dusted off and flashed with another firmware to be sold as refurbished ones, but if that happens, I don’t want my data to be on them. <a class="footnote-reference" href="#footnote-2" id="footnote-reference-2">[2]</a></p> <p>I’ve also gotten rid of disks that haven’t failed yet: when upgrading, I think it is a waste to throw away perfectly fine hardware, even if it is outdated, so I tend to sell or give away old hardware on the Marktplaats, the Dutch craigslist. Again, not having to wipe those disks</p> </li> <li><p class="first">I am a European citizen. This means that on May 25th of 2018, the General Data Protection Regulation (<span class="caps">GDPR</span>) will come into force. I am not a lawyer or <span class="caps">GDPR</span> expert, but I do know that hosting a public mailing list archive is affected by this. The best known part of the <span class="caps">GDPR</span> is “the right to be forgotten”, which states that it should become possible for individuals to have access to data about them to be removed. I am still thinking about how to implement this for lkml.org and will get back to that in a later article.</p> <p>A right more relevant to this post is the “Privacy by Design” part. Even though I am not a <span class="caps">GDPR</span> expert, I do claim knowing a thing or two about privacy, and applying <span class="caps">FDE</span> is one measure that should be applied to make it harder to cause privacy breaches.</p> </li> </ol> <p>For me, all these points are valid reasons for applying <span class="caps">FDE</span> to “a machine which hosts a public visible mailinglist”. Now go on and read up on how to implement <span class="caps">FDE</span> for all of your systems.</p> <table class="docutils footnote" frame="void" id="footnote-1" rules="none"> <colgroup><col class="label" /><col /></colgroup> <tbody valign="top"> <tr><td class="label"><a class="fn-backref" href="#footnote-reference-1">[1]</a></td><td>Yes, I am aware of the fact that I work at an email service provider and am hosting my private mail. It’s just that I’ve been hosting my personal email myself for the last twenty years or so and don’t mind spending a small bit of time on keeping that setup working. Besides, having experience with hosting mail helped me with getting my current job.</td></tr> </tbody> </table> <table class="docutils footnote" frame="void" id="footnote-2" rules="none"> <colgroup><col class="label" /><col /></colgroup> <tbody valign="top"> <tr><td class="label"><a class="fn-backref" href="#footnote-reference-2">[2]</a></td><td>I know that lots of companies will have “Keep Your Drive” (<span class="caps">KYD</span>) agreements with their suppliers, so they can destroy failed drives and get fresh ones without having to expose their data. By employing <span class="caps">FDE</span> rigorously, you can just let Dell stare at your encrypted data and don’t have worry about <span class="caps">KYD</span>.</td></tr> </tbody> </table> <hr/> </div> <section id="article-sidebar" class="span2"> <h4>Published</h4> <time itemprop="dateCreated" datetime="2023-12-12T02:37:56+00:00">2023-12-12T02:37</time> <h4>Category</h4> <a class="category-link" href="./categories.html#lkml-ref">lkml</a> <h4>Tags</h4> <ul class="list-of-tags tags-in-article"> <li><a href="./tags.html#gdpr-ref">GDPR <span class="superscript">1</span> </a></li> <li><a href="./tags.html#lkml-ref">lkml <span class="superscript">1</span> </a></li> <li><a href="./tags.html#luks-ref">LUKS <span class="superscript">1</span> </a></li> </ul> </section> </div> </article>  <div class="pswp" tabindex="-1" role="dialog" aria-hidden="true">  <div class="pswp__bg"></div>  <div class="pswp__scroll-wrap">  <div class="pswp__container"> <div class="pswp__item"></div> <div class="pswp__item"></div> <div class="pswp__item"></div> </div>  <div class="pswp__ui pswp__ui--hidden"> <div class="pswp__top-bar">  <div class="pswp__counter"></div> <button class="pswp__button pswp__button--close" title="Close (Esc)"></button> <button class="pswp__button pswp__button--share" title="Share"></button> <button class="pswp__button pswp__button--fs" title="Toggle fullscreen"></button> <button class="pswp__button pswp__button--zoom" title="Zoom in/out"></button>   <div class="pswp__preloader"> <div class="pswp__preloader__icn"> <div class="pswp__preloader__cut"> <div class="pswp__preloader__donut"></div> </div> </div> </div> </div> <div class="pswp__share-modal pswp__share-modal--hidden pswp__single-tap"> <div class="pswp__share-tooltip"></div> </div> <button class="pswp__button pswp__button--arrow--left" title="Previous (arrow left)"> </button> <button class="pswp__button pswp__button--arrow--right" title="Next (arrow right)"> </button> <div class="pswp__caption"> <div class="pswp__caption__center"></div> </div> </div> </div> </div> </div> <div class="span1"></div> </div> </div> </div> <footer> <div id="fpowered"> Powered by: <a href="http://getpelican.com/" title="Pelican Home Page" target="_blank" rel="nofollow noopener noreferrer">Pelican</a> Theme: <a href="https://elegant.oncrashreboot.com/" title="Theme Elegant Home Page" target="_blank" rel="nofollow noopener noreferrer">Elegant</a> </div> </footer> <script src="//code.jquery.com/jquery.min.js"></script> <script src="//netdna.bootstrapcdn.com/twitter-bootstrap/2.3.2/js/bootstrap.min.js"></script> <script src="./theme/js/elegant.prod.9e9d5ce754.js"></script> <script> function validateForm(query) { return (query.length > 0); } </script> <script> (function () { if (window.location.hash.match(/^#comment-\d+$/)) { $('#comment_thread').collapse('show'); } })(); window.onhashchange=function(){ if (window.location.hash.match(/^#comment-\d+$/)) window.location.reload(true); } $('#comment_thread').on('shown', function () { var link = document.getElementById('comment-accordion-toggle'); var old_innerHTML = link.innerHTML; $(link).fadeOut(200, function() { $(this).text('Click here to hide comments').fadeIn(200); }); $('#comment_thread').on('hidden', function () { $(link).fadeOut(200, function() { $(this).text(old_innerHTML).fadeIn(200); }); }) }) </script> </body>  </html>

CINXE.COM

LKML on LUKS 路 Jasper's latest attempt at blogging