Encrypted Fedora Install - Most Seamless Experience I've Seen Yet

schykle · January 21, 2022, 12:19am

Full disclosure that I’m on Silverblue, though I’ve had the same experience on traditional Fedora as well… I recently did an encrypted (automatic) install of Silverblue 35 on my new laptop since I’ll be taking it out of the house. — I have some good things to say, as well as some general questions!

First off, I’m thrilled that using an encrypted install doesn’t fallback/force Ext4. I didn’t expect this to happen, but it’s still on the back of my mind as many distributions will just do that and there’s no automatic partitioning options for BTRFS. Top-notch!

Beyond that, I’ve noticed something where Fedora differs from other distributions, and that’s the seamlessness of the decryption prompt, as well as the speed. When I boot up my laptop, I go straight from UEFI splash to decrypt prompt, quickly. There’s no weird text glitching through, the splash screen doesn’t go away and give me a text prompt, there’s no waiting. It’s just clean cut all the way through.

My experience on other distributions has typically been that the decryption screen not only takes quite some time to appear, but it usually isn’t even ready for my input immediately. With Ubuntu (and so far every Ubuntu-based system I’ve tested), I find myself waiting nearly 10 seconds just to get the prompt, and then if I type in immediately as it shows up, it misses keystrokes. I need to wait almost another five seconds before it’s properly ready. THEN, boot takes a decent while.

I have absolutely no idea what the fundamental difference is in the way Fedora’s implementation is, but I’ll say it’s fantastically well-done. The decryption screen is clean, doesn’t present weird text I don’t need to see, and yet isn’t a slowdown. Once I plop my password in, it’s less than a couple seconds until I’m at GDM. It’s absolute lightning.

If anyone has some light to shed on maybe the different components Fedora might be using, or maybe it’s just down to configuration and optimization, I’m super interested in knowing!

Massive props to everyone who worked on this, because it’s yet another reason I am happy to be using Fedora (Silverblue). Encryption should not be an inconvenience IMHO, and this makes Fedora a great proponent of more secure computing in my mind. <3 Well-done.

kpfleming · January 21, 2022, 2:37pm

Same experience here! I hadn’t used LUKS for many many years, and it used to be incredibly painful. With F35 it was simple to setup, and works smoothly. I’ve even added a keyfile on a USB flash drive that’s plugged into my docking station, so that (on most days) when my laptop is at my WFH desk I don’t even get prompted for the decryption passphrase.

passthejoe · January 21, 2022, 6:26pm

I did this same install recently (encrypted Silverblue), and it has been a great experience.

mpphill2 · January 22, 2022, 10:14am

Excellent thread, and an odd coincidence for me as I was thinking earlier about how my current installation is unencrypted. That’s great to read the encrypted install still uses Btrfs. I’ll definitely be going this direction for my Fedora 36 install.

piotr · January 22, 2022, 12:33pm

Fedora Silverblue (and Workstation) is definitely my best Linux experience of my life.

Some time ago I gave a try RHEL-derived Oracle Linux 8, which supposedly offered BTRFS install option unavailable on RHEL 8. But just like you say, I had to choose between full-disk encryption or the BTRFS file system, so I don’t think it is suitable for laptops. On Fedora, it is possible to use BTRFS with full disk encryption because /boot is in fact placed on EXT4, see:

schykle · January 22, 2022, 8:38pm

Super thrilled to hear that others have been having such a positive experience with encrypted installs on Fedora as well. It really stood out to me!

@kpfleming, the USB keyfile is such a great idea! That’s definitely something I’m gonna look into setting up for when I’m docked in at my desk anyway. Really clever stuff!

@piotr, I really love that you’ve had a great time with being able to run encryption and BTRFS, too. I recently did a few installs of Ubuntu, elementary OS, and a few other Ubuntu derivatives. The one thing that I struggled with was that I had to put in quite a bit of effort into getting BTRFS. I was trading features I love and use for security, essentially. I even ended up writing a guide for converting an encrypted install to BTRFS! — Fedora just does exactly what I want! Ext4 /boot saves the day. Interesting enough I think our disk layouts are just a tad bit different! I wonder why!

piotr · January 23, 2022, 1:41pm

@schykle, I run Fedora Silverblue 35 on ThinkPad E480 with rather default install options. I’m not really technical and don’t know how this happened but it appears that you have the EFI system partition (98.2% of free/wasted space), FAT32, while there’s no need for such a thing on my system. My guess: different BIOS setups prior to the install process?

mpphill2 · January 29, 2022, 5:23am

If you don’t have an EFI partition it means you are legacy booting with a Master Boot Record (MBR). Newer hardware typically has UEFI-specification firmware and there is a standard GUID Partition Table (GPT).

They both do the same basic thing – point to your operating system and have some process to load it. The primary difference is MBR uses 32-bit entries while GPT uses 64-bit logical block addresses, so computers using egacy BIOS are capped at 2TB disk size while those with UEFI can have disk sizes up to 64 ZiB. Then to answer your question more directly, they have a bit of a different method for loading the operating system, which is what the EFI system partition is used for on UEFI systems.

piotr · January 29, 2022, 1:59pm

Thank you @mpphill2 for the explanations! I think we all know that these are distinct boot methods but for a moment my doubt was “how this happened”–I do have a UEFI firmware and yet I boot Fedora in the BIOS-native mode… But I think in my previous post I’ve answered by myself mine and @schykle’s question as I simply have “Legacy First” in my BIOS settings:

Also, as I can read in the documentation:

If you boot a Fedora live or install medium in UEFI-native mode and then install Fedora, it will perform a UEFI-native installation.
If you boot a Fedora live or install medium in BIOS-native mode and then install Fedora, it will perform a BIOS-native installation.

https://fedoraproject.org/wiki/Unified_Extensible_Firmware_Interface

boredsquirrel · July 8, 2023, 4:07am

So I have to add Fedora Server is really weird.

Manual partitioning (method 2) doesnt allow encrypted BTRFS, and the LUKS screen has a “hide unnessecary info” mode but looks pretty ugly.

Apart from that of course it still works great

Topic		Replies	Views
Unusually Long Time to get to passphrase prompt screen with encrypted Disk on boot up Ask Fedora	1	314	February 11, 2022
Mobile Ivy Bridge, encrypted Btrfs, and Boxes launch time... oof! Project Discussion silverblue-team	3	625	June 7, 2021
Full disk encryption: How can I automatically unlock via a USB key on Silverblue? Project Discussion silverblue-team	7	8497	August 7, 2023
Fedora silverblue not unlocking password after lvm luks encrypted installation with vmware Ask Fedora vmware , lvm , luks2 , silverblue , luks1	13	147	October 16, 2024
How good is silverblue! Project Discussion silverblue-team	11	1928	June 20, 2022

Encrypted Fedora Install - Most Seamless Experience I've Seen Yet

Related topics