The Aeon team has announced the release of Aeon Desktop Release Candidate 3 (RC3), the first version with Full Disk Encryption by default in this series. This release introduces key improvements, with a strong emphasis on security and user experience.
Table of Contents
Full Disk Encryption: A New Standard
The highlight of RC3 is the introduction of Full Disk Encryption (FDE) by default. This feature significantly enhances data security, protecting users from unauthorised access in case of device loss or theft.
Aeon RC3 intelligently implements FDE in two modes, adapting to the user's hardware configuration:
- Default Mode: For systems equipped with a Trusted Platform Module (TPM) 2.0 chipset with specific support (version 1.38 or newer), Aeon utilizes this hardware for robust security checks. During startup, the system meticulously verifies the integrity of crucial components, including UEFI Firmware, Secure Boot state, Partition Table, boot loader, drivers, kernel, and initrd. Any discrepancy triggers a prompt for a Recovery Key, ensuring that only authorised modifications proceed.
- Fallback Mode: If the required hardware for Default Mode is absent, Aeon implements Fallback Mode, requiring users to enter a passphrase at each system start. While this mode relies on user input, it still provides strong protection, especially when Secure Boot is enabled.
Addressing Security Concerns
Some users might think Default Mode as less secure because it doesn't require a passphrase at startup. However, the rigorous integrity checks in Default Mode effectively counter attacks that could bypass authentication.
It detects unauthorised changes, including modifications to the kernel command line and initrd, which could be used to compromise a passphrase in Fallback Mode.
Behind the Scenes Improvements: Building a Solid Foundation
Beyond FDE, RC3 incorporates several technical enhancements and community-driven initiatives:
tik Installer Evolution:
The Aeon installer, tik (Transactional Installation Kit), now employs systemd-repart instead of dd for image deployment. This shift enables the implementation of Full Disk Encryption and paves the way for future enhancements.
Branding and Community:
Recognizing the importance of a unified identity, Aeon now has an official Brand Guide, providing guidelines for logos, colours, and usage. Additionally, a dedicated Subreddit fosters community interaction, discussions, and support.
Looking Ahead: The Road to Official Release
With RC3 nearing completion, the focus shifts toward final refinements before the official Aeon release. While no major structural changes to the core OS are planned, ongoing improvements from upstream versions and community contributions are expected.
The primary task involves developing openQA tests to validate Aeon's installation process and core functionality.
Will there be an RC4?
As noted in the official release notes, the possibility of an RC4 is being explored. It would leverage tik's systemd-repart capabilities to function as a "Self Installer", potentially reducing the download size significantly by eliminating the need for a separate embedded Aeon image.
This approach, however, depends on features from systemd v256, which was recently submitted to openSUSE Factory and remains in the cutting edge stage. If RC4 doesn't happen, users can anticipate smaller and more efficient images after the official release.
Resource:
