Full Disk Encryption (FDE) on Fedora 40

Is it possible to perform Full Disk Encryption (FDE) during the installation of Fedora 40? I’ve seen mentions that such encryption is possible at the install but the only encryption I managed to apply left two partitions unencrypted: one with 1 MB and the other with 1 GB, which I assume are the boot partitions.
Is this encryption possible during or after installation with LUKS? Or would encrypting these two partitions not actually benefit the user that much?

The 1MB partition is the BIOS boot partition, which is required if your device uses a legacy BIOS instead of UEFI:

You can encrypt your boot partition, but with secure boot enabled I prefer it unencrypted. I have set up my UEFI settings menu with a password (and it also asks for a password before each boot), so it sort of eliminates attacks related to physical access to the device.

https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB)

1 Like

I know the boot partition (Bios boot for legacy MBR boot; and /boot/efi for uefi boot) cannot be encrypted because the bios must be able to read those to boot.
I also believe that /boot must not be encrypted for the same reason though I have not tested that.

Bios has no way to read an encrypted partition and thus could not boot in that case.

I think I have a thread on this here on the forums that’s pretty old. Now you do have to choose the advanced set up and set up the LVM/BTRFS container and encrypt that. Then create you partitions inside the vault.

I could dig this up and show images. . .

Also. . . :100:

I know you said that this is up to me, but is there any kickstart script for FDE available online? Don’t get me wrong, I can always try, but this is all new to me.

Is this all possible within the Anaconda installer? I’m interested in the images if it’s not too much of a hassle to find them.

It seems interesting, but it’s beyond my knowledge (I’m not a programmer, just a musician). However, I won’t rule out learning it someday, as it seems very useful. Without the automation, how could I implement this partition scheme during a manual install? I’ve seen some guides, but many of them vary between versions, so I’m not exactly sure how to proceed.

Maybe not for the OP but for others who come across this. I don’t find kickstart any good for its documentation. It is also a bit limiting.

The true freedom comes from just writing a bash script to install Fedora from a terminal in a running Fedora. It also might be better for some use cases. And just bash scripting comes so natural versus learning some extra meta language that’s used only for installations.

1 Like

Some things are best done without software.

As you can see, FDE is not trivial, and offers no protection against physical damage to the system. I’ve known people with security clearances who had a big safe in their office and either a removable drive in a desktop or laptop that is put in the safe (along with any papers on their desk) when not in use.

1 Like