Encrypting Your Infrastructure Without Getting Fired - Matt Moen

But I was the lackey for the smart people running Bides Tampa. It's now an absolutely huge conference. Uh you want to get uh really involved in infosc, you want to network and whatnot, uh go volunteer for Bides San Antonio, but Richard runs the whole thing. He's awesome. But don't hassle Richard today or any other organizers cuz they're going nuts. We really want to impress them. Mark on your calendars about 30 days from now to go reach out to the organizers of B beside San Antonio and say I would like to volunteer to help you guys and it's amazing how much you know more impressed they'll be that you reached out to them when they're not

going in 500 different directions. So uh yeah do go check all that stuff out in the local area. So a story time. Um, let's say uh you're running a you you're working for a a local retailer, a regional retail retailer. Let's say this retailer sells coffee. And let's say this retailer, not just coffee, this retailer, it it does drive-thru coffee. And maybe it's called uh Danish Sisters. That sounds good, right? So, uh, so anyway, you're working for this company and you know, this company's just really doing it right. You're doing all of the cool apps stuff, all all the cool applications stuff. You're full all sorts of DevOpsy and whatnot. You're so cool. You've got

Kubernetes clusters in all of your stores that are doing who knows what. And you know the people the developers that have developed this stuff they are mostly they've mostly done a good job by handling the PII the personally identifiable information with their applications but everybody messes up now and then you know stuff happens and you know if you think this scenario I'm describing is insane. There's a well-known chicken place across the country that's been running Kubernetes clusters on really crappy like desktop hardware like HPs or desktops some crap like that and they're running them in the back of the store. that's what they're operating their their stuff on in, you know, these these fast food

joints. So, this isn't such a crazy scenario. I'm painting here. So anyway, you're running you're working here for uh for Danish Sisters Coffee and you're you're a CEO uh is suddenly freaking out cuz he read in the Wall Street Journal this morning about how some burglars ran into uh a a retailer that, you know, had some stuff that in in their retail store and some PII leaked and your CIA, your CEO is like, "All right, what are we doing to protect oursel from this?" And you know, this this whole Kubernetes thing was rolled out pretty quick. Uh, while they're mostly being pretty good about not holding on to PII and whatnot, there might be some leakage stuff ending up on

discs and whatnot, the discs are not encrypted. Uh, and and your CEO is like, "We can't have this. We need uh uh encryption at rest with all of our stores." And you're thinking to yourself, I mean, all right, what are we going to do? have our our managers like enter encryption passwords at boot, but we're doing Kubernetes clusters and we're not running Windows. What are we going to do? So, you know, you're like, CEO, I'll tell you what, I'll get back to you and uh that's what you do. So, what if I told you that bad people try to steal stuff? I'm shocked. uh what would happen if discs were stolen from uh your data center or you

know your cloud infrastructure or your edge computing systems at Danish sisters data theft is uh expensive it's not good and data at rest encryption you know I mean data at rest encryption is is pretty good stuff it'll protect you from common thieves leaves that look something like this guy. But uh data rest encryption uh will not protect you from people who actually have real skills. Uh it won't protect you either from ransomware. Certainly won't protect you from leak hackers. Not at all. And uh so you know Linux root disc encryption uh you got a chicken the egg problem. So, your system is booting up and you know if you you screw this up wrong, you're going to end up doosing

yourself. That's bad. Uh, if you manually manually enter a password at boot, like I was mentioning earlier, asking the manager to do that. That's pretty ugly. You could have escro servers, but now you've got a really juicy target. That's that's not the best solution. You could do some sort of vault kind of thing. Uh but uh we're going to talk about something that in some ways a little better. Maybe you could do TPN. Uh I mean this is supported on Linux these days, but uh it's ugly and uh might make you suicidal. So you know all is not roses with uh the the the TPM. as I was saying, it's uh tamper resistant hardly means

tamperproof. So, here's a a gentleman uh that I I've heard in in the Austin area. I'm not going to mention his name. I don't want to get into trouble and he probably don't want me talking about it. But he's actually been doing some stuff in some some amateur research in uh like the back bedroom in his house, you know, his back room where he's he's taking chips and he's shaving off layers of the chips and then pointing lasers at various bits of the chips and flicking bits on chips. and he's doing this. He, you know, it's not easy to set it all up. You got to line it all up and do a bunch of trial and

error the way he's doing. And this is not the latest chip technology. This is, you know, chips from a decade ago, but he's able to do this at home. So, if he can do this stuff at home, what do you think people can do with, you know, actual real lab equipment? Uh, you know, you think TPM is all that and it's all it's all wonderful and all that. Uh, yeah. Yeah, I mean with the right equipment, you can flick bits on stuff and once you you generally once you have physical access to stuff, you know, that's the end of it. Lasers, you know, can there are other technologies that can do these sorts of things, but yes,

you can flip bits on your uh what do you call it? Lasers are real and uh they they do stuff. Uh some more practical considerations. Here's a gentleman named uh Stack Smasher. He's a security researcher and this guy uh you know when researching this talk uh I I found this video I was just blown away. So I'm going to show you a video here in in a moment but I want to describe it first. This gentleman and by the way feel free to take photos of anything you see here and also feel free to shout out any questions anything doesn't make sense to you. You know if I'm going to come up with it later on the talk I'll let you

know. But uh so this guy here, feel free. I'm gonna have a slide at the end that has lots of this stuff with tiny URL links and you can decide whether or not to trust them or not. It's up to you. Uh so this guy is a security researcher and this is not the latest iteration of the TPN. This is the previous iteration of laptops where the TPM, the trusted privacy module was actually a separate chip. But this gentleman got put together a uh uh a Raspberry uh Pico, a little device thing. And he is actually going to stick this he did some custom programming, a whole bunch of custom work. And he's actually going to stick this thing over

the legs of the TPM chip as Windows is booting up with Bit Locker. And he's going to lift the decryption key uh for Windows. And then you know after that you can shut the drive and get full access to that encrypted thing that was encrypted with this super awesome trusted privacy module thing. This all happens very quickly. So watch closely with this video here. He unscrews the thing the laptop plugs it in and then boom you put that thing on the legs of the chip and there's the decryption key. All that's needed after that is to shuck the drive, stick it in a Linux system or something like that, and you've got decrypted access of your Bit Locker drive on older

hardware. Obviously, this technique won't work where you have a uh discret a chip that's that's, you know, not a discrete chip that you can do this with, but you know, I was mentioning the laser things before. TPM is not some sort of, you know, end all be all. And once you have physical access to a vice device, you're you're you're kind of screwed. Wow. >> So, uh, what exactly is this whole TPM module thing? I mean, it's a computer.

Is this a good idea? So, I've got a computer in my computer. I mean, yeah. So, what if we didn't have to deal with any of this nonsense? What if instead we could do this thing called networkbased disk decryption? You know, what if instead of uh TPM or or this other stuff, there was another way to do it. So uh this this tool that uh I mentioned at the beginning Tang and Clevis this is uh an open-source set of technologies for Linux and it's based on a theory that was developed by these two genius engineers at Red Hat. Uh and it's uh their names are Macllum and Rao. I think I'm mostly pronouncing that correctly.

And they've created this this whole cryptographic thing. It's it's kind of weird in that when you you this whole cryptographic thing occurs during the initial handshake thing of it, you actually end up throwing away uh the private one of the private keys that you that's used in this cuz it's only used initially when you're initially establishing trust and then never used again. And uh the decryption works at boot without escrow. It's based on Diffy Helman. So, who here knows what Diffy Helman is? Handful of folks. All right, we're going to wander into a little bit of cryptographic nonsense here, but we won't get too deep. So diffy helman is the stuff that uh you know every time you go on uh your

web browser goes on an internet uh you know connects to an HTTPS uh site uh and you're doing uh hypertext uh transport over TLS tiffy helman is being used in order to create a shared secret across the internet over a uh insecure connection where you don't have anything being shared between the few pieces. In short, you know, both sides have a public private key. Uh so the public key is being shared over the internet. The private key is something that uh you know only to yourself. So you go pass the public key to the other side. The web server also passes the public key to you. Some math is done and then you do some additional math with

your private key. And at the end of the whole thing, you both you create this large shared secret that only you and the remote server know and no one else that observed this communication over the wire is the wise to as to what this this shared secret is. It is very cool stuff and it's worth looking into in more depth if this is something that really tickles your fancy. So uh the maleum rail setup as I was mentioning uh it's kind of like that but a little different. So you know in in our example here I'm going to you know show you what demo later I mean the demo guides you know gods behave. So we've

actually got here is I've actually got two uh uh what are supposed to be servers. Now, this is supposed to represent a big iron server, or maybe it's just a desktop in the back of uh uh Danish Sisters. Uh but uh you know, this is your actual server thing, and that's running a piece of software called Cleus. And then you've got another little lightweight thing that could be running on something lightweight, and uh it's running something called Ting. And uh if you look here, you got your big iron server and uh the the Tang server, the very lightweight thing, sends a public key to the client. The client generates a uh a new public private key pair. Some

crazy math is done on the client. So this would be your server, your big iron server. Uh the client then discards this private key cuz it's never needed again. Then uh so at this pace this this initial step is where trust is established. This is roughly similar to if you ever use SSH and you initially connect to a new server, you're asked do you want to trust this? This is roughly similar to that. What's going on here? Then the next step would be uh when your your big iron server is booting up later on uh it generates a new public private key care. It does some math with this new public and private key care care.

The Tang server, the little lightweight thing, does a little more uh math with the the thing that the the server sent up. And um you know, some more math is done on your big iron server. And at the end of all of this, the decryption key that's needed to decrypt the uh the the the uh uh root file system among other things or any other file systems as well on your uh big iron server that is uh uh recreated. So this server key didn't actually exist anywhere. It's not in escrow. It's not anywhere else. It was recreated from the initial trust step that was set up initially. And this is this it's magic this stuff.

If there are any real math nerds that love discrete math, uh here is the discrete math explanation of what's going on here. Uh this was grabbed off of the Red Hat presentation you see at the bottom. If anyone from Red Hat is here, don't sue me. Uh but uh yeah, this is a cool presentation. It's worth checking out. And uh so you know there is actual real math behind this and real cryptographic awesomeness. This is what's going on here is so close to Diffy Helman that uh folks cryptographers have have looked over this in depth and plenty of cryptographers have signed off on this as so flipping close to Diffy Helman it's secure. Uh, I mean that doesn't

mean that that implementations out there couldn't have issues or that sort of thing, but this is probably okay. So, Tang server, I was mentioning that before. We've got our demo rig that we're going to look at in the future. This is the Tang server is nothing more than a lightweight HTTP server. Yes, you're reading that right. It's not using secure HTTP HTTPS cuz it doesn't matter because the only thing that's being handed is already encrypted. And uh also if you know anything about Linux servers or if you kind of think this one through early on in the Linux boot process, there's a very minimal Linux system that's set up initially and it is very minimal. It it's amazing that you can

actually get this whole cleav thing shoved in there. You don't want to have to also be doing HTTPS. There's no need to. So that's part of the reason just keeping it simple. Uh uh the Tang server is only using HTTP so that Clavus doesn't need to do HTTPS. Uh you can run this on something really really lightweight. You should be able to run it on something as lightweight as a Raspberry Pi 0 for hundreds of servers. This really is using very little. It doesn't matter, but I mean it just is using very little in the way of uh CPU cycles to pull all of this stuff up. And uh the secure thing that's being passed over this lightweight HTTP server

is a JSON object signed uh encryption file. We're going to look at that in a bit during part of our demo later on. So Michael and Ray developed this thing. cleav. Cleav is the bit that's running on your big iron server, you know, or maybe it's just a desktop in the back of a store, but uh you know, the thing you're actually trying to protect. Uh it negotiates with that really lightweight T server. It uses a Lux slot to store its metadata. Who here is familiar with Lux on Linux? Okay, handful of Linux nerds here. Awesome. Lux stands for the Linux unified key setup system. I think I got the algorithm right. So, uh you

can still decrypt things manually even when you're using this whole Tang and Cleavus thing. So, normally the way Lux would work uh like on your desktop or something is it boots up and asks you for a passphrase. When you're implementing this thing, you still have the option of using a passphrase. You just also have the option of having this automated thing that doesn't require any kind of user input. So, word on Lux. Yeah. Linux unified key setup. Uh it has one master key. That is the thing that actually does the uh uh the encryption. That's the encryption key for the the Linux volume that you're using Lux to protect. Then Lux also has a bunch of

slots uh eight user key slots specifically. So a Lux system would look a Lux setup for a a Linux volume would look something like this. You've got slot one. I mean this is what it would normally look like if you're running on on your desktop or whatever. Uh you've got uh slot one contains a passphrase. So, normally when you'd boot up, you just enter your passphrase and that's enough to recover the master key that will then decrypt the Linux volume and you've got another uh slots 2 through 8 in there. So, you've got quite a few options there. Uh if you're using this whole tang and cleav thing you're talking about. So, on our big iron

server, our left volume for root would look something like this. uh you'd still have the passphrase and number one probably that you used when you installed things up and then slot two would be this awesome data that this whole tang and cleav thing are using and that's what the system it would you know look to see if there's any of this uh uh uh JWE data in any of these slots if it is it's going to try that pretty cool stuff so ways to protect your Tang server you remember this could be running on a Raspberry Pi. You could be throwing it on the other end of a VPN. Uh, now you need network connectivity

for your systems to boot up. But that's one option. Uh, you could hide the thing. I mean, if it's a Raspberry Pi, it maybe could be in the ceiling. I mean, there's nothing wrong with a little bit of security through obscurity, right? Uh, again, you know, it depends on what your threat model is and what you're trying to protect against. Your average burglar probably isn't going to go all the way through all the ceilings and that sort of thing. So, that might be an option, at least your average unsophisticated burglar. For added security uh for all of this, your Tang server, you should probably periodically rotate your Tang keys uh which means establish new ones. You also

need to hold on to any keys that were used in order to establish trust initially with any cleav systems that are out there. So you don't necessarily want to delete your old ones. Uh you want to create a procedure for this. Cryptography is not trivial. Uh you know it it requires work to actually do it right. And uh yeah, who wants to see a demo? Huh? >> Yeah. All right. So we're we're actually going to do a proper demo. Uh I I do have a backup option, but who wants that nonsense? So, what I'm going to do, this right here is the HDMI uh switch thing that I've got my laptop plugged into. I'm going to

unplug that. So, you're not going to see anything on the laptop. And I am going to find the HDMI cable in this rat's nest and plug it in over here. And then, sorry, the screen is a little bit uh funky. All right. It did this before. I'm glad we tested this early. All right, kids. Don't try this at home, but we're going to unplug the system and plug it back in again. So, this is our big iron server that we've got plugged in here. And oh, there we go. Voy, as they say in France. So, this right here is our Big Iron server, and we've got it booting up right now. That's Grub. So, I've got a USB keyboard plugged into

it up here. I've got a network cable plugged between it and our Tang server. But in this case, both of these particular Raspberry Pies are Raspberry Pi 4, which is ridiculously overkill, especially for the train Tang server. But, uh, you know, I like to travel light and Raspberry Pi 4s have USBC. It makes life easier. That's why we're doing that. But again, like I said, this there's no reason this couldn't be running something really light when a Raspberry Pi 3 would still be overkill. Uh, but we're just using a Raspberry Pi 4 just to make life easier. So, again, we've got an Ethernet cable plugged between the two. This particular thing functioning as a Ting server only has

power and Ethernet on the bottom. This has a lot more going on over here on our simulation of our big iron server. We've got uh Ethernet. We've got our USB keyboard plugged in over here. Uh we've got power. Then also we've got mini HDMI. That's how you're able to look at all of this. Awesome. Here. And then you Oh, I also have a uh USB uh uh stick uh memory stick plugged in here. I'm doing that to make life easy. trying to uh make uh Tang trying to install Cle uh on the Raspberry Pi is much easier if uh you're doing it on say a USB device like this. In order to make this work, I'm actually booting off of

this USB device. In order to make that work, you have to do all sorts of shenanigans with UEFI with Raspberry Pi. You wouldn't have to do any of this stuff if say you were doing this on a x86 PC. It would be much easier. It was hard to make it work on this Raspberry Pi stuff, but hey, it works on ARM 64. It's pretty cool. Um, but uh yeah, anyway, we've got that uh USB. This right here is actually running off of that USB stick. And uh so on this system here, uh I'm going to log in and I can't really see it over here. Let's see. Okay, so I logged in there. Let me come over here. Let's see how

this works. All right. So, I'm logged in there. And if we look here, I've got a handful of files here. And in particular, I'm interested in a file called tangen. So, I'm going to cap that file. Can you guys see this back there? Yes, sir. All right. So if you look at this particular uh uh script, it's very simple. What it's doing is it's running uh the cleav command and it's passing an argument encrypt and then it's using tang as the pin. You could use other pins. Uh for instance, you could use say TPM or other things. We're going to cover that in a little more detail in a bit. Then after that, it has a URL uh that's in some

JSON and it's put in there with an IP address. Why? Because that makes the demo much easier. Of course, you could actually do DNS and actually do this properly. If you're actually doing this in production, you probably wouldn't want to do that. So, I've got that and then that will encrypt something. So, for starters here, let's encrypt something. So, I need some audience participation. I need a short word or phrase that we should encrypt. Pterodactyl. >> Something we can spell. >> Please. >> Please. Okay. How about yes, please? >> Okay. With an exclamation point. Okay. And I think I did a what do you call a quote there? Did we do that right there? Yeah,

that looks right. All right. So, I'm going to pipe that into my tangit command, and I'm going to redirect the output of that into a JWE file. plz.jwe. Okay. So, I'm going to hit enter here. So, this is my big iron server that I'm currently connected to. And it right now is asking me, hey, do I want to trust uh this remote T server that I'm connected to running on the other Raspberry Pi and it's got a string there. Now, you can already establish trust if you're actually doing this in production. So, it's not asking you this question. You probably should do that, but this is a demo. So, we're just going to say why.

And now if we look, let's clear the screen. If I cat the PLZ file, we have this big ass string. Okay, so I have another command there called decrypt it. That's much much much simpler. All it says is cleav and decrypt. So, I'm actually not even going to run that. So, we're going to take the uh cap from this. I'm going to pipe it to cleav this decrypt. And boom, there is our magic hidden phrase. Now, what just happened here? I mean, this is what's happening with boot. You can actually store use it to store any kind of messages. And that's what we're demoing here. This phrase didn't exist anywhere. It was encrypted in a fashion where you need both

components. You need both the big iron server and both the tang server. If you only have one, you have nothing. The message is lost forever. You must have both. When you have both, that magic mckela rail handshake can occur and the system will boot up. So that's how that part works. Now the cool part or extra cool part. So we are going to reboot the system again except this time I am going to disconnect the network cable here. Let's disconnect the network cable on the Tang server. So now you only see one cable plugged in there, the power cable. And now I'm going to power cycle our simulated big iron server here. And it's going to boot up.

and it's thinking about it. By the way, to to make all of this Raspberry Pi stuff work, you have to actually flash your Raspberry Pi to make all of this UEFI nonsense work. It's a whole thing. I've got a link at the end if you're interested in doing this sort of stuff with Raspberry Pi 4. Uh, I couldn't believe how much work it was to make all of that work. So, what's going on here is the system is booting up and there's a bunch of noise and it's saying, "Hey, I'm trying to contact the Tang server." Now, I could at this point type in the passphrase and the system would continue to boot up and decrypt as normally. We

don't want that. Uh, let's just say we had a slight network hiccup at this point and the network kic is resolved and we're going to simulate that by reconnecting the network wire. And maybe it reconnects it.

And like magic, the system continues to boot because before that it was encrypted and the handshake with the tank server occurred. The uh uh root file system and boot file system was decrypted. The system finishes booting. There we go. Fantastic. Any [Music] questions? Question. Yes. >> So over the demo, how do you integrate that with the actual part? >> How do you integrate that with the >> integrate the like part to the boot part of the OS? >> With the what part of the OS? >> Oh, the booting part of the OS. Uh yeah, I'm not really going to cover that in depth in this talk, but the short answer is you install Cle. You in you're going to need to set up a

Tang server somewhere. And uh there are detailed instructions on the the Cleus website about how to establish the initial trust and how to install it into your bootloader. And you want more details, feel free to talk to me afterward. Any other questions with the demo part before we move back to the rest of the presentation? All right. So, we're going to disconnect that and reconnect this.

Boom. How are we doing for time? >> Pretty good. >> All right. Cool. >> You got till 4:15. >> Awesome. Okay. And here was my backup slide in case the demo didn't work. Uh, so what the solution protects you from, like I was saying before, protects you from common thieves. But what about really sophisticated thieves with skills, you know, duh? Uh ultimately they have you in your data if somebody really really has skills. So, if somebody, you know, with actual skills is the one breaking into uh uh your Danish sister store, you're in trouble. If someone with real skills, say, pays a hobo to uh uh and gives them really really good instructions on how to do

everything, uh you're you're probably also host. I mean, it's just reality. I mean, once you have physical access to stuff, it gets ugly really really quick. what we're talking about here makes life better in general, but it's hardly a panacea. So, you can make things a little bit better. Uh maybe I if your threat model would warrant it, you could do more defense and depth strategies even with this solution. Uh for instance, if your Tang server goes down, none of this works. if your Tang server is over a VPN and none of this works if the VPN goes down. But uh Tang also supports Cleus and Tang. Uh Cleus supports using a Shamir secret sharing. Uh so

theoretically you could have three Tang servers, you could have five Tang servers and you could require a certain quorum of servers in order to actually uh have all of this handshake work. So you could make it so that say you've got three Tang servers, you could make it so that uh when the system is booting up, you need at least two Tang servers in order to reconstitute the key. So if one of the three goes down, you're still fine. Uh if you want five, then you could require three servers and so on and so forth. You could also require both Tang, both a Tang server and TPM2 on your hardware. So if you want to be

extra paranoid, I mean, we said TPM2 is not some sort of, you know, panacea can be worked around, but now you just made things much more complicated if you're requiring both TPM2 and a Tang server that's on the other end of a network. Now it's going to be much more difficult to uh uh decrypt that particular hard drive. Um, you know, assuming that they didn't grab the key out of RAM when it was still running. I mean, there's always ways around it. So you could also require both TPM2 and or a quorum of Tang servers with the Shamir secrets sharing. You know with great power comes great responsibility. You need to figure out what your threat model is and choose

the right amount of complexity that uh actually you can justify in terms of the cost. None of this is free. Earlier I was uh talking a lot of trash about TPM. Um, you know, I mean, TPM 1.2 was it was a complete dumpster fire. It was horrible. Uh, TPM2 is not nearly as bad. I mean, it still is a computer inside a computer, but it's not nearly as bad as what we were dealing with before. Um, so, you know, I mean, Bit Locker, UFI, Secure, um, like I was mentioning, all of this stuff, it's a it's a small computer running inside of your system. It has an API. Uh, that's a whole lot of attack surface. TPMs are also kind of

slow. Not that that really matters. I mean, your system doesn't boot up that often. TPM, uh, you know, what can it do? It can beyond just this sort of booting out thing, you can actually use TPM to do things like store open SSL keys. This might be an interesting application if you've got uh, you know, a bunch of web servers. um you know you can validate that uh tampering hasn't occurred at least theoretically I mean it has some functionality to uh uh measure certain things during booting and you know maybe that'll you know save you and uh make it more difficult to tamper with stuff. uh you can conditionally conditionally uh decrypt volumes at boot much more

whatever uh more complexity means more potential for doosing yourself don't shoot yourselves in the foot to avoid uh catastrophes you know how to avoid crowdstripe like catastrophes where you do yourself. You know what happened with Crowd Strike? They had some really cool software and they pushed out an update and they they dooed yourself. As you're rolling this stuff out, you need to be really careful so you don't get fired. Uh that's just reality. Network-based decryption means it makes yourself dependent on the network. It makes your systems dependent on the network. It uh requires your network to have uh some sort of internet connectivity probably. Some questions you might want to ask yourself. How valuable is the data that you're

trying to protect? You know, nerds like to get all excited about cool technologies, but you know, I mean, the grown-up nerds ask this sorts of, you know, ask this sort of question. How valuable is this data actually? you know, uh what would the cost actually be if that data is stolen that uh I've got in my store? What would the cost be if the data is distributed given my threat model? How do I hide my keys? And in this case, my keys are my Tang server. uh also theoretically the other server but that's where your data is stored and it's it's your Tang server. So the total to total cost of disk decryption what is

the total cost of rolling it out? It's not free requires a lot of manh hours to actually test this sort of thing then put together a plan to roll it out. What is the ongoing cost of maintaining this solution? It's not free. Your time is worth money. The other people involved with maintaining this, their time is worth money. So ultimately, we need to secure with a purpose. And the short answer is the cost to implement and maintain our fix had better be less than the cost of, you know, a a security breach or the bad security thing happening. times what we guess the probability of that thing happening is. There's no point in spending way more money than you know

for something that's very improbable. You know, for something that's very probable but also very cheap. We also don't want to spend a lot of money for that. So, I mean, we need to justify what we're actually doing. In the case of this particular thing here, in the example I've got earlier with uh Danish sisters, uh how good are we doing with our uh uh ability to keep PII off of the spinning discs if we've got spinning discs or SSDs or what have you? How how good are we doing that? Um and what would the risk be if some of that actually leaked out there? Um you know, these are questions that they're ultimately business decisions.

takeaways. Tang and Clevis are open source as we mentioned. You need both the Tang server that's now on the floor and uh the Cleus, you know, the big iron server in order to decrypt what's on the desk. If you only have one, you've got nothing. You can add extra decryption requirements to it uh to cleav like we mentioned. You could add TPM2. You could also require a quorum of Tang servers or you could do both. Make sure your encryption solution makes business sense. So your CEO at uh Danish Sisters comes back to you and says, "So what are you doing?" He's saying we sir have a solution or ma'am have a solution where we are rolling out on disk encryption on

all of our systems and we're going to require network connectivity when the systems boot up. It's not ideal but uh all we need is just a little bit of network connectivity not a lot. We're going to look into, you know, making our network more robust so when the systems boot up, uh, uh, that that that is there. And, uh, at this point in time, if somebody steals our servers, they're encrypted. And, you know, this isn't a panacea. That doesn't mean that, uh, there isn't some weird angle where somebody who has really good talent. I mean, if you've got really people with lots and lots of money and lots of skill that want those systems, they they might

break in and do something really clever, but we're going to make it much more difficult. We're going to raise that barrier of entry so it's really difficult for them to get our data. And your CEO said CEO says, "Hey, good job. You have greatly reduced our risk and you you've just made it much more difficult for people to mess with us. Good job. Well done. Thank you folks. Feel free to take photos again.

Questions.