Announcement

Collapse
No announcement yet.

Fedora 30 Aims To Use LUKS2 By Default For Full-Disk Encryption

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Fedora 30 Aims To Use LUKS2 By Default For Full-Disk Encryption

    Phoronix: Fedora 30 Aims To Use LUKS2 By Default For Full-Disk Encryption

    Fedora 29 wanted to have the use of LUKS2 by default when going for full-disk encryption compared to the LUKS1 meta-data format, but that didn't turn out in time so now the hope is to have it ready for Fedora 30...

    http://www.phoronix.com/scan.php?pag...-LUKS2-Default

  • #2
    Maybe they can integrate the suspend to disk decryption screen crap with the fde stuff, kinda like macOS.
    does. Then we can have transparent suspend.

    Comment


    • #3
      What about older systems? AFAIK, GRUB2 doesn't support LUKS2.

      Comment


      • #4
        Originally posted by skeevy420 View Post
        What about older systems? AFAIK, GRUB2 doesn't support LUKS2.
        You only need GRUB2 support for LUKS2 if you have encrypted /boot. I doubt that's how Fedora installs. They probably keep /boot unencrypted.

        Comment


        • #5
          Let someone include these patches http://grub.johnlane.ie/ into to grub2 eventually to have the full encryption including /boot. They exist for years. If not grub2 directly then maybe Fedora could apply them into their grub2 rpm.

          Comment


          • #6
            I think I played with FDE in Fedora 28 or 29 a while back, and it gave me a password prompt at first boot, then another password prompt for my user account
            I ended up abandoning FDE in favour of home-directory encryption via eCryptfs, which got me down to a single password prompt

            Comment


            • #7
              Originally posted by jokeyrhyme View Post
              I think I played with FDE in Fedora 28 or 29 a while back, and it gave me a password prompt at first boot, then another password prompt for my user account
              I ended up abandoning FDE in favour of home-directory encryption via eCryptfs, which got me down to a single password prompt
              IIRC, SUSE does it similarly. /boot was its own thing and / was everything else (unless separate /home was selected). When I ran it with a fully encrypted system I'd have to enter a password to decrypt GRUB, another password if I wanted to tweak GRUB, and two more passwords since I was using a raid0 (one per disk).

              I'm configuring my next setup in a similar manner -- LUKS for /boot on one disk and native ZFS encryption for everything else on the raid.
              Last edited by skeevy420; 01-05-2019, 05:44 PM. Reason: Quoted the wrong person

              Comment


              • #8
                Originally posted by jokeyrhyme View Post
                I think I played with FDE in Fedora 28 or 29 a while back, and it gave me a password prompt at first boot, then another password prompt for my user account
                I ended up abandoning FDE in favour of home-directory encryption via eCryptfs, which got me down to a single password prompt
                Technically this applies to other FDE systems (BitLocker, etc.). The only thing different is they replaced the first step with keys stored in TPM.

                The eCryptfs is not attractive to me since its maximum filename length is much lower (255 -> ~140) and I may hit this limit someday.

                Comment


                • #9
                  Originally posted by stikonas View Post

                  You only need GRUB2 support for LUKS2 if you have encrypted /boot. I doubt that's how Fedora installs. They probably keep /boot unencrypted.
                  Really? Grub didn't still catch up with LUKS2 support?
                  ## VGA ##
                  AMD: X1950XTX, HD3870, HD5870
                  Intel: GMA45, HD3000 (Core i5 2500K)

                  Comment


                  • #10
                    Originally posted by stikonas View Post

                    You only need GRUB2 support for LUKS2 if you have encrypted /boot. I doubt that's how Fedora installs. They probably keep /boot unencrypted.
                    Then how is it "full disk encryption"? When I hear that, I assume "everything is encrypted" and not "everything* is encrypted".

                    I'm aware that systemd-boot, efi-stub, and other methods can get around the GRUB2/LUKS2 limitation, but some of us are stuck with GRUB2 on our PC that came out right before UEFI and some of us like to keep multiple kernels installed and that is, AFAIK, something that sysd-boot doesn't support. I like to keep linux-current and linux-lts installed just in case current breaks.

                    * except /boot, good thing you read the fine print.

                    Comment

                    Working...
                    X