Announcement

Collapse
No announcement yet.

Fedora 30 Aims To Use LUKS2 By Default For Full-Disk Encryption

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • skeevy420
    replied
    Originally posted by RahulSundaram View Post

    "Full disk" is typically used as a moniker to differentiate it from per file encryption or home only encryption solutions. Given the lack of support in Grub2, usually distributions leave /boot unencrypted. You just have to accept that compromise or switch to a different bootloader if your system supports it
    SUSE doesn't leave /boot unencrypted. GRUB & /boot become their own LVM+LUKS partition that's separated from the rest. Given the limitations (bios/uefi and software), it's an acceptable solution IMHO. I hope Fedora has a similar method as an install option (I do the same thing for my ZFS on Root systems). It's not the same encryption used full disk, but it is full disk encryption (and it should be simple enough to upgrade to LUKS2 whenever/if GRUB supports it).

    Leave a comment:


  • skeevy420
    replied
    Originally posted by darkbasic View Post

    There are no other bootloaders capable of doing so.
    systemd-boot does....but my system doesn't support that....

    For GRUB systems, our only real, universal option is Random File System+LUKS+GRUB.

    That BTRFS encryption article has me a little excited at the possibility of using a file system native encryption for /boot (the main reason I'm one of those ZFS weirdos is because ZFS removes unnecessary layers by handling what LVM handles, what LUKS handles, etc). I'd love to simplify it to BTRFS+GRUB.

    Leave a comment:


  • darkbasic
    replied
    Originally posted by RahulSundaram View Post
    You just have to accept that compromise or switch to a different bootloader if your system supports it
    There are no other bootloaders capable of doing so.

    Leave a comment:


  • RahulSundaram
    replied
    Originally posted by skeevy420 View Post

    Then how is it "full disk encryption"? When I hear that, I assume "everything is encrypted" and not "everything* is encrypted".

    * except /boot, good thing you read the fine print.
    "Full disk" is typically used as a moniker to differentiate it from per file encryption or home only encryption solutions. Given the lack of support in Grub2, usually distributions leave /boot unencrypted. You just have to accept that compromise or switch to a different bootloader if your system supports it

    Leave a comment:


  • skeevy420
    replied
    Originally posted by stikonas View Post

    You only need GRUB2 support for LUKS2 if you have encrypted /boot. I doubt that's how Fedora installs. They probably keep /boot unencrypted.
    Then how is it "full disk encryption"? When I hear that, I assume "everything is encrypted" and not "everything* is encrypted".

    I'm aware that systemd-boot, efi-stub, and other methods can get around the GRUB2/LUKS2 limitation, but some of us are stuck with GRUB2 on our PC that came out right before UEFI and some of us like to keep multiple kernels installed and that is, AFAIK, something that sysd-boot doesn't support. I like to keep linux-current and linux-lts installed just in case current breaks.

    * except /boot, good thing you read the fine print.

    Leave a comment:


  • darkbasic
    replied
    Originally posted by stikonas View Post

    You only need GRUB2 support for LUKS2 if you have encrypted /boot. I doubt that's how Fedora installs. They probably keep /boot unencrypted.
    Really? Grub didn't still catch up with LUKS2 support?

    Leave a comment:


  • zxy_thf
    replied
    Originally posted by jokeyrhyme View Post
    I think I played with FDE in Fedora 28 or 29 a while back, and it gave me a password prompt at first boot, then another password prompt for my user account
    I ended up abandoning FDE in favour of home-directory encryption via eCryptfs, which got me down to a single password prompt
    Technically this applies to other FDE systems (BitLocker, etc.). The only thing different is they replaced the first step with keys stored in TPM.

    The eCryptfs is not attractive to me since its maximum filename length is much lower (255 -> ~140) and I may hit this limit someday.

    Leave a comment:


  • skeevy420
    replied
    Originally posted by jokeyrhyme View Post
    I think I played with FDE in Fedora 28 or 29 a while back, and it gave me a password prompt at first boot, then another password prompt for my user account
    I ended up abandoning FDE in favour of home-directory encryption via eCryptfs, which got me down to a single password prompt
    IIRC, SUSE does it similarly. /boot was its own thing and / was everything else (unless separate /home was selected). When I ran it with a fully encrypted system I'd have to enter a password to decrypt GRUB, another password if I wanted to tweak GRUB, and two more passwords since I was using a raid0 (one per disk).

    I'm configuring my next setup in a similar manner -- LUKS for /boot on one disk and native ZFS encryption for everything else on the raid.
    Last edited by skeevy420; 05 January 2019, 05:44 PM. Reason: Quoted the wrong person

    Leave a comment:


  • jokeyrhyme
    replied
    I think I played with FDE in Fedora 28 or 29 a while back, and it gave me a password prompt at first boot, then another password prompt for my user account
    I ended up abandoning FDE in favour of home-directory encryption via eCryptfs, which got me down to a single password prompt

    Leave a comment:


  • prudy
    replied
    Let someone include these patches http://grub.johnlane.ie/ into to grub2 eventually to have the full encryption including /boot. They exist for years. If not grub2 directly then maybe Fedora could apply them into their grub2 rpm.

    Leave a comment:

Working...
X