Lincoln Laboratory’s cloud-security software is released into Red Hat Enterprise Linux

Red Hat, a global leader in the open-source software community, has released the Keylime package into their Red Hat Enterprise Linux (RHEL 9.1) operating system. Keylime is a security software architecture developed at Lincoln Laboratory. The software's release into RHEL 9.1 makes it widely available to the large and diverse base of RHEL users spanning industry, academia, and government.

"This step is important in continuing the widespread adoption of the Keylime technology," says Charles Munson, a researcher in the Laboratory's Secure Resilient Systems and Technology Group and co-inventor of the technology. "The convenience of installing Keylime via a built-in package manager and the large reach of the RHEL operating system make it easier now more than ever for users to adopt Keylime and protect their critical systems."

Keylime was developed to help customers of cloud, edge, and Internet-of-Things computing services strengthen the security and trustworthiness of their machines. Cloud computing services allow organizations to rent machines from a cloud provider, who handles the security of those rented machines. While cloud providers claim that the machines are secure, customers have no way to verify the cloud's security. As a result, many organizations with sensitive data are reluctant to reap the benefits of flexibility and low cost that the cloud offers.

To address this security concern, Keylime remotely and continuously verifies that the machines hosting and processing an organization's data are secure by leveraging a piece of hardware called a Trusted Platform Module (TPM). The TPM generates a hash (a string of characters representing data) that changes significantly if data are tampered with. Keylime was designed to make TPMs compatible with cloud technology, and reacts to a TPM hash change within seconds to shut down a compromised machine. Keylime also enables users to securely bootstrap secrets (in other words, securely upload cryptographic keys, passwords, and certificates into the rented machines) without divulging these secrets to the cloud provider.

"With Keylime, you can verify the state of systems at boot and continuously monitor the integrity of remote systems. You can also send encrypted files to the monitored systems, and specify automated actions triggered whenever a monitored system fails the integrity test," Red Hat wrote in its documentation supporting the release.

The RHEL 9.1 release comes on the heels of recent developments in Keylime's open-source transition, including its acceptance into the Linux Foundation’s Cloud Native Computing Foundation as a sandbox technology and its adoption by IBM to protect their thousands of IBM Cloud machines. In recent years, the technology was awarded an R&D 100 Award and Federal Laboratory Consortium Excellence in Technology Transfer Award. Keylime was initially prototyped in 2015 and is used as a core security component in the Mass Open Cloud initiative, a public cloud service supporting thousands of students and researchers. 

Lincoln Laboratory began collaborating with Red Hat on Keylime in 2017 under a pilot program, funded by the Department of Homeland Security’s Transition to Practice program, to mature the technology in the open-source community and further its development. Today, more than 50 open-source developers from around the world are contributing to Keylime. Prior to its release as part of RHEL 9.1, Keylime was already available for Red Hat’s Fedora Linux operating system.

Inquiries: contact Kylie Foy