HYOK on Linode LKE

What is HYOK????
HYOK stands for “Hold Your Own Key.” It is an acronym commonly used in the field of information security and encryption. HYOK refers to a data protection strategy where an organization retains full control over the encryption keys used to secure its sensitive data, even when that data is stored or processed by a third-party service provider.

What is LKE???? LKE is Linodes Managed Kubernetes Service.

We will in this blogpost explore how to enable a HYOK model on Linode Kubernetes Engine (LKE)

In today’s digital age, data privacy has become a significant concern for individuals, businesses, and governments alike. The General Data Protection Regulation (GDPR) was introduced in 2018 to address these concerns and provide individuals with greater control over their personal data. However, the implementation of GDPR poses several challenges, particularly regarding data sovereignty. One potential solution to overcome these challenges is the use of encryption keys. In this article, we will explore the challenges associated with GDPR and sovereignty and discuss how keeping the encryption keys can help resolve them.

 
 

The Challenges of GDPR and Sovereignty

1. Cross-border Data Transfers

The GDPR places restrictions on the transfer of personal data to countries outside the European Economic Area (EEA) that do not offer an adequate level of data protection. This requirement often creates difficulties for businesses operating globally, as they need to ensure compliance when transferring data across borders. The challenge lies in balancing data protection requirements with the efficient flow of data, which is vital for many industries.

2. Legal and Regulatory Variations

GDPR compliance becomes more complex when dealing with multiple legal and regulatory frameworks. Each country may have its own interpretation of data protection laws, leading to inconsistent requirements and obligations. Navigating through these variations can be a significant challenge for multinational organizations, requiring substantial legal resources and expertise.

3. Data Access and Control

Under GDPR, individuals have the right to access and control their personal data held by organizations. However, providing such access while ensuring data privacy and security can be a delicate balancing act. Organizations must authenticate the data subject’s identity and protect against unauthorized access, which can be difficult when dealing with decentralized data storage or cloud-based services.

The Role of Encryption Keys

Encryption plays a crucial role in protecting data privacy and security. It involves converting data into an unreadable format, known as ciphertext, using an encryption algorithm and a unique encryption key. Encryption keys are the secret codes required to decrypt the data and convert it back into its original form, known as plaintext.

By keeping encryption keys within the control of data owners or organizations, several challenges associated with GDPR and data sovereignty can be mitigated:

1. Enhanced Data Security

By encrypting personal data and retaining control of the encryption keys, organizations can ensure that even if the data is accessed or intercepted, it remains unreadable and useless to unauthorized individuals. Encryption provides an additional layer of security, making it significantly more challenging for malicious actors to exploit sensitive information.

2. Data Sovereignty and Cross-border Transfers

Encryption keys allow organizations to maintain control over their data, regardless of its physical location. With the proper encryption mechanisms in place, organizations can securely transfer data across borders without violating GDPR requirements. By encrypting data before it leaves the jurisdiction and only providing decryption keys when authorized, businesses can ensure compliance while facilitating cross-border data flows.

3. Balancing Data Access and Control

Encryption keys enable organizations to implement robust access controls. By controlling who has access to the encryption keys, organizations can authenticate and authorize individuals before providing them with decrypted data. This process ensures that data subjects can exercise their rights under GDPR while protecting against unauthorized access or data breaches.

Conclusion

GDPR has undoubtedly set a new standard for data protection and privacy. However, its implementation presents challenges related to data sovereignty, cross-border transfers, and legal variations. Encryption keys offer a powerful solution to these challenges, providing enhanced data security, facilitating cross-border data transfers, and enabling organizations to balance data access and control effectively.

By adopting encryption and retaining control over encryption keys, organizations can navigate the complexities of GDPR while safeguarding data privacy and complying with regulatory requirements. As technology continues to evolve, encryption and encryption key management will remain critical in ensuring the protection of personal data and maintaining trust in the digital ecosystem.

 
 

Encrypting your Linode Kubernetes Engine (LKE) workloads with an externally managed key

Lets walk through what components goes into creating and Kubernetes environment in Linode where the encryption keys are held outside of the system.

Open Source Key Management: Tang and Clevis

Clevis and Tang are open-source software tools developed by Red Hat that can be used in conjunction with the Linux Unified Key Setup (LUKS) encryption system to provide secure key management and automation. While Clevis focuses on encrypting and decrypting data, Tang acts as a network service that securely distributes encryption keys. Together, they can offer several benefits in addressing the challenges of GDPR and data sovereignty:

1. Simplified Key Management

Clevis and Tang simplify the management of encryption keys by automating the process. Instead of manually entering encryption keys, Clevis can bind the encryption key to a network-bound object, such as a Tang server. This automated approach reduces the administrative burden and potential for human error, making key management more efficient.

2. Enhanced Security

Clevis and Tang improve security by separating the encryption key from the encrypted data. With Clevis, the encryption key is stored on a remote server (such as a Tang server) and is only accessible when needed to decrypt the data. This separation reduces the risk of unauthorized access to the key and adds an additional layer of protection against data breaches.

3. Facilitating Cross-border Data Transfers

Clevis and Tang can help address the challenge of cross-border data transfers under GDPR. By keeping the encryption keys separate from the data and leveraging network-bound objects, organizations can securely transfer encrypted data across borders without violating data protection regulations. This approach ensures that the data remains protected and accessible only to authorized parties with access to the encryption keys.

4. Compliance with Data Access Rights

GDPR grants individuals the right to access and control their personal data. Clevis and Tang can play a role in enabling organizations to comply with these rights while maintaining data security. By implementing access controls and authentication mechanisms, organizations can ensure that only authorized individuals with valid encryption keys can decrypt and access the data, providing a balance between data control and individual rights.

5. Flexibility and Scalability

Clevis and Tang are flexible tools that can be integrated into existing infrastructure and systems. They are designed to work with LUKS, which is widely used for disk encryption in Linux-based environments. This compatibility allows organizations to leverage their existing encryption capabilities while incorporating Clevis and Tang for enhanced key management and security. Additionally, Clevis and Tang are scalable, enabling organizations to manage encryption keys for large-scale deployments efficiently.

In summary, Clevis and Tang offer simplified key management, enhanced security, facilitate cross-border data transfers, help with compliance, and provide flexibility and scalability. By utilizing these tools alongside encryption mechanisms, organizations can strengthen their data protection practices, adhere to GDPR requirements, and address the challenges associated with data sovereignty.

 
 

Linux Unified Key Setup (LUKS)

LUKS, short for Linux Unified Key Setup, is a widely used disk encryption specification for Linux-based systems. It provides a standard format and framework for encrypting entire disk partitions or individual files within a partition. LUKS operates at the block level, encrypting data as it is written to the disk and decrypting it when accessed.

Key features of LUKS include:

1. Strong Encryption

LUKS supports various symmetric encryption algorithms, such as AES (Advanced Encryption Standard), Serpent, and Twofish, allowing users to choose a secure encryption method that suits their needs.

2. Key Management

LUKS enables the management of multiple encryption keys, allowing for flexibility and ease of access control. Users can set up passphrases, key files, or even integrate with external key management systems such as Clevis and Tang mentioned earlier.

3. Header-based Encryption

LUKS stores encryption metadata in a header section at the beginning of the encrypted partition or file. This header contains information about the encryption algorithm, key slots, and other necessary details for decrypting the data.

4. Integration with Cryptsetup

Cryptsetup is the utility used to set up and manage LUKS encrypted volumes. It provides command-line tools and APIs for creating, opening, closing, and managing LUKS containers.

5. Compatibility and Interoperability:

LUKS is designed to be platform-independent, enabling encrypted volumes to be accessed and managed across various Linux distributions and systems.

By utilizing LUKS, users can ensure the confidentiality and integrity of their data stored on disk partitions. It provides a standardized and secure approach to disk encryption, making it a popular choice for securing sensitive information on Linux-based systems.

 
 

Linode LKE Cluster

This solution is using Linode Managed Kubernetes Engine (LKE) and you will need to first create a cluster or already have one. Ideas on how to do that using Terraform (Infrastructure as Code) can be found in my earlier post here

 
 

Explore solution

We will look at the work done by Kit Knox in the following repository: https://github.com/kitknox/lkeluks

On a new machine with Ubuntu/Debian: Install Tang server

$ apt update 
$ apt install tang jose
$ systemctl enable tangd.socket
$ systemctl start tangd.socket

Clone repo

git clone https://github.com/kitknox/lkeluks

Update luks_setup.sh with the IP for your Tang server

On line 105 it says echo $LUKS_KEY | clevis luks bind -y -d /dev/sdb3 tang '{"url": "http://50.116.0.10"}' -k -
Change 50.115.0.10 to the IP of your installed Tang server

This guide is in the process of being updated! Stay tuned!

All The best! Stefan