Fedora 41 Aims To Support Self-Encrypting Drives Within Its Installer

Coming in as a rather late change proposal for Fedora 41 is to support self-encrypting drives from within the OS installer.

The change proposal filed by three Red Hat engineers is to have optional support for leveraging native hardware encryption on TCG OPAL2 compliant drives from within Fedora's Anaconda installer.

The latest cryptsetup LUKS software can be configured to use self hardware encryption on SATA and NVMe drives supporting the TCG OPAL2 standard. This self-encryption support can be used alone or with dm-crypt software encryption on top too for greater data protection.

For Fedora 41 the hope is to add an "expert" option within the Kickstart installer configuration to use hardware encryption on capable systems. Over dm-crypt, the TCG OPAL2 hardware encryption can be useful on lower-tier systems for consuming less CPU resources. Or paired with dm-crypt can provide better safeguarding of your data.

The Fedora 41 change proposal does note:

"Note: We'd like to emphasize that we do not intend to enable this feature by default, it must be explicitly selected by the user. Using the option to set up only hardware encryption can be risky as it places the trust fully in the disk manufacturer's ability to implement the data encryption in the disk firmware correctly."

The proposal still needs to be voted on by the Fedora Engineering and Steering Committee (FESCo) but if all goes well this feature could be all set with the Fedora 41 debut in October.