BcacheFS integrates filesystem based encryption, without using LUKS, which is block-based and thus not as complete.
It allows TPM unlock and stores the keys in the kernel keyring.
The encryption uses chacha2, each block is authenticated with a MAC.
Due to being filesystem encryption, you have a chain of trust up to the “super block”. Block-based encryption cannot store MACs without causing alignment problems.
When entering the password in the initramfs, the key is derived from the password using scrypt
Really cool stuff! I want to experiment installing Kinoite on bcacheFS, but never used Anaconda with manual partitioning before.
Is BcacheFS even an option in Anaconda ? I don’t believe it is, so you would be doing a full manual install or a Kickstart file? Not sure how any of that would work with rpm-ostree.
Is a manual install of rpm-ostree possible on fedora
do you have to build bcachefs to get it to work or are there packages already
Would ublue be a better option for this allowing you to customize this in better detail. By already having the barebones available and being potentially more efficiently reproducible