Linux Security Summit: Europe 2025 talk

This talk presented a fully open-source framework to achieve secure full disk encryption (FDE) for TPM-equipped Edge devices (IoT), balancing strong security guarantees with practical maintainability at scale. I addressed key features including automated disk unlocking and recovery, monitoring and remote access. The talk covered the following:

• A fully verified boot chain, from EFI firmware through the initramfs. I also covered which system components to verify and common pitfalls to avoid when setting up a secure boot chain.
• A newly-developed, open-source TPM PCR prediction mechanism enabling seamless reboots after kernel or initramfs updates.
• Automated disk encryption key onboarding and recovery using Tang and Clevis.
• Secure remote access and fleet observability while disks remain locked - using WireGuard, SSH, and Prometheus.
• Guidance on how to extend the initramfs (dracut) with your own tooling.
• Discussion of shortfalls and potential security risks

Watch the talk below, or, check out the slides below the video.