Home Fedora Proposed Change: Self-Encrypting Drive Support In Fedora 41 Anaconda Installer
FedoraAnnouncementsHardwareLinuxLinux DistributionsNews

Proposed Change: Self-Encrypting Drive Support In Fedora 41 Anaconda Installer

Red Hat Engineers Submitted a New Change Proposal for the Upcoming Fedora Linux 41. Here's What You Need to Know.

By sk
Written by sk 480 views

Three Red Hat engineers have submitted a change proposal for Fedora Linux 41. If approved, this change would add optional support for native hardware encryption on TCG OPAL2 compliant drives within Fedora's Anaconda installer. This new proposed self-encrypting drive support will be available in Fedora Linux 41, and will only affect new installations.

The Proposal

Vojtech Trefny, Ondrej Kozina, and Jiri Konecny from Red Hat have proposed enhancing Fedora's disk encryption options. Their suggestion aims to leverage the capabilities of self-encrypting drives (SEDs) during the installation process.

To put this more clearly, their suggestion aims to introduce optional support for using native hardware encryption on TCG OPAL2 compliant drives when configuring disk encryption in the Fedora installer, Anaconda.

This feature will provide users with an additional layer of security and flexibility when setting up disk encryption.

What Are Self-Encrypting Drives and OPAL2?

Self-encrypting drives (SEDs) perform encryption and decryption operations within their hardware. The TCG OPAL2 standard, developed by the Trusted Computing Group, defines a specific set of security features for storage devices, including self-encryption.

The proposed change specifically targets drives that are compliant with this OPAL2 standard. It's important to note that while all OPAL2 compliant drives are self-encrypting, not all self-encrypting drives necessarily follow the OPAL2 standard.

Proposed Installation Options

If approved, the change would add two new choices when setting up encrypted storage in Fedora's Anaconda installer:

  1. Hardware encryption only
  2. Combined hardware and software encryption

These options would offer more flexibility for users with compatible hardware.

What's Changing?

The proposed change will extend the existing --luks-version option in the kickstart interface to enable the use of hardware encryption. Two new options will be available:

  • --luks-version=luks2-hw-opal: Enables hardware encryption only
  • --luks-version=luks2-hw-opal-crypt: Enables hardware encryption in combination with software encryption

Please note that this feature will be available only through the kickstart interface and will not be enabled by default. Users must explicitly select this option to use hardware encryption.

Proposed Implementation

To test this feature, users would need:

  1. A disk that supports the OPAL specification
  2. The sedutil-cli utility to check for OPAL compliance

To check for OPAL support using the sedutil-cli utility (provided by the sedutil package) with the command:

sudo sedutil-cli --scan

As stated already, the new encryption options would be available through the kickstart interface. Users could specify their preference using the --luks-version option in their kickstart files.

Here's an example kickstart snippet for encrypted automatic partitioning:

autopart --type=lvm --encrypted --passphrase="passphrase" --luks-version=luks2-hw-opal --opal-admin-passphrase="..."

Verification

After installation, users could verify the encryption setup using the cryptsetup luksDump command.

sudo cryptsetup luksDump <device>

Replace <device> with the path to your encrypted device (e.g., /dev/sda2)

Check the Data segments section of the output. The content will indicate which encryption method was used.

For combined hardware and software encryption, you would see:

LUKS header information
Version:        2
  ...
Data segments:
   0: hw-opal-crypt

For hardware encryption only:

LUKS header information
Version:        2
  ...
Data segments:
   0: hw-opal

For software encryption only (default behavior):

LUKS header information
Version:        2
  ...
Data segments:
   0: crypt

Potential Benefits and Considerations

Possible Advantages

  • Performance improvements on low-power systems
  • Increased security through layered encryption (when using both hardware and software)

Important Notes

  • The feature would be optional and not enabled by default
  • It would require explicit selection during installation
  • Using hardware-only encryption relies on the drive manufacturer's implementation

Compatibility and Upgrades

This proposed change would only affect new installations. Existing systems would not be impacted by this feature.

User Experience

After installation, users shouldn't notice any differences, as the system will behave in the same way as with "normal" disk encryption.

Next Steps

The Fedora Engineering Steering Committee will review this proposal. If approved, it could bring more encryption options to Fedora Linux 41, potentially enhancing security and performance for users with compatible hardware.

For more information or to provide feedback on this proposal, please visit the Fedora discussion forum:

Senthilkumar Palani (aka SK) is the Founder and Editor in chief of OSTechNix. He is a Linux/Unix enthusiast and FOSS supporter. He lives in Tamilnadu, India.

You May Also Like

How To Reset Root Password In Fedora Linux...

Fedora 38 End of Life On May 21,...

Reset Root Password In Fedora 39 Using Live...

How to upgrade to Fedora 24 from Fedora...

How To Find A Package Version In Linux

How To Enable Minimize And Maximize Buttons In...

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More