Announcement

**microcode** · 05 January 2019, 08:41 AM

Maybe they can integrate the suspend to disk decryption screen crap with the fde stuff, kinda like macOS.
does. Then we can have transparent suspend.

**skeevy420** · 05 January 2019, 09:38 AM

What about older systems? AFAIK, GRUB2 doesn't support LUKS2.

**stikonas** · 05 January 2019, 01:36 PM

Originally posted by skeevy420 View Post

What about older systems? AFAIK, GRUB2 doesn't support LUKS2.

You only need GRUB2 support for LUKS2 if you have encrypted /boot. I doubt that's how Fedora installs. They probably keep /boot unencrypted.

**prudy** · 05 January 2019, 02:53 PM

Let someone include these patches http://grub.johnlane.ie/ into to grub2 eventually to have the full encryption including /boot. They exist for years. If not grub2 directly then maybe Fedora could apply them into their grub2 rpm.

**jokeyrhyme** · 05 January 2019, 04:51 PM

I think I played with FDE in Fedora 28 or 29 a while back, and it gave me a password prompt at first boot, then another password prompt for my user account
I ended up abandoning FDE in favour of home-directory encryption via eCryptfs, which got me down to a single password prompt

**skeevy420** · 05 January 2019, 05:03 PM

Originally posted by jokeyrhyme View Post

I think I played with FDE in Fedora 28 or 29 a while back, and it gave me a password prompt at first boot, then another password prompt for my user account
I ended up abandoning FDE in favour of home-directory encryption via eCryptfs, which got me down to a single password prompt

IIRC, SUSE does it similarly. /boot was its own thing and / was everything else (unless separate /home was selected). When I ran it with a fully encrypted system I'd have to enter a password to decrypt GRUB, another password if I wanted to tweak GRUB, and two more passwords since I was using a raid0 (one per disk).

I'm configuring my next setup in a similar manner -- LUKS for /boot on one disk and native ZFS encryption for everything else on the raid.

**zxy_thf** · 05 January 2019, 07:00 PM

Originally posted by jokeyrhyme View Post

I think I played with FDE in Fedora 28 or 29 a while back, and it gave me a password prompt at first boot, then another password prompt for my user account
I ended up abandoning FDE in favour of home-directory encryption via eCryptfs, which got me down to a single password prompt

Technically this applies to other FDE systems (BitLocker, etc.). The only thing different is they replaced the first step with keys stored in TPM.

The eCryptfs is not attractive to me since its maximum filename length is much lower (255 -> ~140) and I may hit this limit someday.

**darkbasic** · 06 January 2019, 05:26 AM

Originally posted by stikonas View Post

You only need GRUB2 support for LUKS2 if you have encrypted /boot. I doubt that's how Fedora installs. They probably keep /boot unencrypted.

Really? Grub didn't still catch up with LUKS2 support?

**skeevy420** · 06 January 2019, 11:46 AM

Originally posted by stikonas View Post

You only need GRUB2 support for LUKS2 if you have encrypted /boot. I doubt that's how Fedora installs. They probably keep /boot unencrypted.

Then how is it "full disk encryption"? When I hear that, I assume "everything is encrypted" and not "everything* is encrypted".

I'm aware that systemd-boot, efi-stub, and other methods can get around the GRUB2/LUKS2 limitation, but some of us are stuck with GRUB2 on our PC that came out right before UEFI and some of us like to keep multiple kernels installed and that is, AFAIK, something that sysd-boot doesn't support. I like to keep linux-current and linux-lts installed just in case current breaks.

* except /boot, good thing you read the fine print.

Announcement

Fedora 30 Aims To Use LUKS2 By Default For Full-Disk Encryption

Fedora 30 Aims To Use LUKS2 By Default For Full-Disk Encryption

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment