Should Fedora enforce drive encryption on new installs?

I find that most installations generally skip drive encryption, even though most distros provide that option. Therefore, if it can be enforced, people should be required to turn off encryption if they do not want it, similar to what Pop OS does which is technically nice to have. This would make Fedora installation more secure by default, providing basic protection against data theft and other potential threats maybe if device is stolen or so.
At least it should be enabled and enforced on silverblue/kinoite workstation and general spins. Maybe not be useful for some on server options.
It may not be possible in old anaconda but it could be the feature for new anaconda web installer which is potential replacement for old anaconda.

1 Like

Personally I will not want the drive encryption become an opt out choice.

At least until we have a very convenient and reliable method to convert between encrypted/decrypted.

The worst nightmare is the data owner lost access to ones own data. Which forced encryption might make it come true for unprepared users.

8 Likes

why luk2 is stable enough.i never find a issue like that.

I think that for a lot of home users, the inconvenience of needing to provide the LUKS passphrase when applying updates probably outweighs the security advantage.

I’d like to see us move to systemd-homed by default for Silverblue (first) and then Workstation — I think per-user encryption by default there makes sense.

7 Likes

I agree with Fung Chi. Encryption should be opt-in, not opt-out. There is too much potential for a user to get locked out of their own data and I think that would be really bad. What if, for example, a person had to rollback their OS because the video driver or some other critical component didn’t work but the encryption for their personal files was changed as part of the (failed) upgrade and the reverted OS cannot decrypt the files? That’s just one (perhaps far-fetched) hypothetical. But it seems like there are more opportunities for people to lose access to their potentially important files with encryption when something goes wrong. My PC is not in a place where I am concerned about it being stolen. (And if a thief were so determined to get my PC, they could also force the password from me.) IMO, there is no benefit to justify the risk that encryption adds (at least not where my PC is concerned).

From https://xkcd.com/538:

6 Likes

The middle ground could be to encourage encryption, or encourage people to look into encryption, for laptops. I think that’s where device encryption makes the most sense because it’s the most vulnerable to being stolen.

Really I think this recommendation could make more sense in a Tips app or the new Gnome security level feature that’s being worked on. The problem with that is that encryption has to be enabled when you’re installing the OS. Being told about the benefits and responsibilities of encryption after you’ve installed it would be annoying for anyone who would consider it.

Other OSes like Android do provide encryption out of the box, but they come tied with Google’s cloud backups and other cloud-based services such that if you were to lose your device or forget your password then you could still recover most of your data. Fedora and Linux distros in general don’t provide that. If enabling encryption safely means having to be responsible for your own backups, and we can’t count on end users doing that, then we would be setting them up for failure by enabling encryption by default.

Maybe this idea can be spun off into something else, though?

1 Like

I agree with Matthew’s point. The current full-disk encryption implementation is not ideal for most workstation users. Having to type a password to boot up the rest of your system just to authenticate your actual user can get pretty cumbersome quickly, and it doesn’t benefit multi-user setups as much. Personally, I’m looking forward to Fedora utilizing systemd-homed encryption features by default in the future.

Also, that has nothing to do with data recovery. If all it takes to access your data is extracting the hard drive, then what’s the point of creating a user password! This is already a standard in the mobile market, and it’s slowly making its way into the desktop space (see chromebooks). It’s a matter of time till we get used to it here as well.

1 Like

The password often blocks remote access by various protocols (e.g. SSH). It is still useful even when the computer is physically locked behind secure doors.

If anything, I think encryption should be more difficult to enable, not less. My casual observation of the technology is that the ransomware attackers have found it more useful than any home user. I would rather see it not possible to encrypt one’s filesystems or drives unless the user purchases a physical security token for that purpose. That still wouldn’t prevent a ransomware attacker from being able to encrypt someone’s files. But at least it wouldn’t be as simple as flipping a switch.

1 Like

I disagree.
Potentially on a laptop that is commonly mobile the user should encrypt it. A home PC or a laptop that is not commonly mobile the choice should not be forced to disable with encryption the default.

If you have kept up with the threads here there seem to have been a good percentage that are related to difficulties with encryption and forcing it on those who might otherwise have not even considered it seems to be a bad idea.

It is already available in anaconda if the user chooses.
Making it default could severely affect users ability to function as evidenced by the recent spat of errors with kernels 6.1.5 & 6.1.6 for users with nvidia GPU and the reported black screen halts.

As is the user is not forced to decide – the choice is freely made. Making it mandatory would force a decision and may backfire on fedora overall.

3 Likes

I think this is a key point. If a thief steals someone’s data, it is the thief’s action and the thief is liable. If Fedora default-encrypts stuff and in so doing causes someone to lose their data, that would be Fedora’s action and the blame would be on Fedora.

2 Likes

I agree, though that comment was based on my thoughts about user satisfaction with the experience and I had not considered liability issues.

1 Like

Well, a disclaimer could waive potential legal issues, so who’s at fault from the user’s perspective is probably the main concern. But any way you look at it, I don’t think it would look good for Fedora.

That’s not where you go for to block SSH though… Everyone in this day and age should use PasswordAuthentication no in /etc/ssh/sshd_config. Key pairs are far more secure than measly passwords. But all of this is besides the main discussion.

That would be just obscuring certain functions arbitrarily. What you’re proposing just makes the life of the intended users harder while giving attackers an easier time stealing data (because it’s not encrypted). Just hiding or even not including encryption tools with Fedora won’t prevent anyone who’s got access to your system to do whatever they want with your files.

This aspect of ransomware isn’t even applicable to the discussion. An attacker who’s got access can still encrypt the encrypted data, delete everything, or fill the drive with heart emojis. This can be only mitigated by having backups. Another issue is the fact that attackers can read your data, but this wouldn’t be a problem if you had encrypted your files.

Also hardware security tokens are used for authentication. You’d still be using the already existing encryption methods.

They can still read the data even when the at-rest form is encrypted. It has to be decrypted for use in memory. Encryption does not prevent hacking. Encryption only has the potential to prevent someone from accessing the files if they were to physically steal the device.

1 Like

It’s true that encryption is more useful when you’re traveling around with your devices. But it’s not like laptops and desktops are different platforms. They use the same Fedora. If Fedora found that encryption is useful to laptops, there would be no reason not to have it by default on desktops as well.

That’s why I prefer the systemd-homed method more than the current default implantation. After all, it’s the home directory that actually has data you want to protect. There is no reason to encrypt the rest of your filesystem.

No one proposed for anything to be forced. Just to have saner defaults.

1 Like

That’s just, to be blunt, nonsense. If what you’re saying is true then Apple and Google should’ve been out of business by now. You forgot your password and now it’s Apple’s or Red Hat’s fault? Unlike Fedora, you CAN’T use an iphone without encryption, so I don’t know how they’re still alive without your proposed encryption disclaimer.

Still much better than leaving everything out there for anyone with device access.

If or when Fedora has this option on the table to be able to encrypt home directories on a per user basis, then it does make me lean in the direction of wanting to have it enabled by default. It’s closer to what iOS and Android do. It also simplifies decryption. When you have a password, you need the password to get in. If you don’t have a password, then people can get in with physical access. That makes sense to me because you’re layering in more security on the tangible model folks already have for wanting to have passwords on their computers. In this case you wouldn’t need two passwords to start up. Your one password decrypts and lets you in seamlessly.

The only thing that still makes me hesitant is the lack of backups. Google and Apple can give you encryption by default, but they also have a backup solution enabled by default, like I mentioned before. If we don’t have that, then folks would be in a real pickle. Another difference to not as well is that mobile OS rely much more on apps that have accounts you log into, not unlike websites. For example, even if my phone wasn’t encrypted, I’m still not worried about loosing my email because Gmail is a service that I am logging in for. On Linux it biases more toward software that just runs locally, which makes your local files and having a backup even more important.

True, you can connect your nextcloud account in gnome’s settings, but I doubt most would go out of their way to do that, especially when it doesn’t constantly advertise a cloud service in your face everywhere like other proprietary operating systems do.

This is kinda off topic, but I wish there were a “tips” app like in pixels and iphones that sends you occasional useful info about the OS. Maybe it could inform you about online accounts or backups in general.

Regardless, I still think the benefits outweigh the negatives here. If you constantly enter a password to log in, you’re bound to have it stuck in your muscle memory. Just like phones, you’d almost never forget the password unless you hadn’t used it in a long time.

And don’t forget, you can also trust your passwords to a cloud backup service like LastPass so you don’t have to worry about losing those either. :wink:

Yep,
Another online site that can be hacked and allow your passwords to be stolen & cracked.
(sarcasm intended)