Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Figure out whether the private key is encrypted when the container is suspended #7

Open
shankari opened this issue Feb 14, 2020 · 6 comments
Open

Figure out whether the private key is encrypted when the container is suspended #7

shankari opened this issue Feb 14, 2020 · 6 comments
Assignees
@njriasan

Comments

@shankari
Copy link
Contributor

Since containers are essentially processes, suspension will dump memory to disk. But which disk? the encrypted disk or a disk that is accessible by the sysadmin?
@shankari
Copy link
Contributor Author

@njriasan will work on this

@njriasan
Copy link
Contributor

From what I have gather container pausing in Docker occurs through the freezer cgroup controller, described here. By default there doesn't seem to be anything encrypting the disk storage, but I will keep investigating to see if it is possible to do so.

@njriasan
Copy link
Contributor

It does not seem of course like ecryptfs stores the keys to disk (it would be foolish to do so). This does provoke a few questions.

  1. If the container is sent to disk, since it is using a key deleted from the keyring will it still be able to decrypt or encrypt data using that key?

  2. If it can still interact with that data where is the key stored? Is it stored directly in the process or is it just inside the keyring but for some reason not visible by external root terminals (which I still need to investigate).

  3. Does this still produce a risk when streaming the key over the network to the UPC. There is a short time in which the key must live in the network stack in order to be transferred. This is something addressed in the network stack by TLS but once it enters the python scripts creating the TLS connection the key is presumably decrypted. I believe pausing the container at exactly this instance and transferring to disk (or failing to clear the memory later) likely meets our worse fears and allows access to the key.

Question number 3 seems like the exact use case of hardware enclaves so I find it unsurprising that this a concern. I will continue to explore possible workaround as a point of comparison, but it seems like enclaves may be necessary for allowing a key to be fully paused.

@njriasan
Copy link
Contributor

I think this also becomes an issue without suspending a container if for example a data page with the key that will be provided to ecryptfs just gets paged out. This is seeming more likely that enclaves are necessary to allow secure key transfer.

@shankari
Copy link
Contributor Author

@njriasan it looks like after some additional discussion with @deculler, we decided not to go with enclaves. Did you decide how to handle all these scenarios in that case? Or do we just include it in the threat model and move on?

@njriasan
Copy link
Contributor

I think we have to include it in the threat model and move on. Without hardware support I don't think you can do anything if the operating system tries to maliciously swap your program to disk.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@njriasan njriasan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shankari @njriasan