Should Fedora enforce drive encryption on new installs?

systemd-homed does not use /etc/shadow.

I like the idea of being able to just replace the OS, but still be able to keep my home directory intact, and encrypted.

It doesnt? But doesnt the integration with SDDM or GDM store a hash there or something?

Ifaik the shadowfile doesnt store plain passwords, but protecting it could be useful anyways

The shadow file does not store plain passwords.
It does, however, contain the salt used to encrypt the password for comparison in addition to the hash of the password. Having it readable seems a real security issue to me.

When a user is logging in, the salt from that entry is used to encrypt the entered password for comparison with the hash. Having that file readable opens the system up to a hacker being able to copy it out then remotely brute force finding a password for the user.

1 Like

I donā€™t think Fedora should enforce drive encryption unless it also comes out-the-box with Trim enabled fully for SSDs. Having to deal with the OS and LUKs/crypt years ago was annoying enough for me to not try it again on SSDs :stuck_out_tongue: Iā€™ve also had double password prompts with various distros and GRUB making it extra-annoying.

Although really I donā€™t want drive encryption enforced at all anywhere. I disable TPM2 from BIOS, sometimes turn it on, and donā€™t want to be concerned with the OS reacting to that or expecting the TPM. If I donā€™t want encryption for a particular OS install, I donā€™t want it :stuck_out_tongue:


I liked how Windows 11 Bitlockerā€™d my drive at some point post-install because it wasnā€™t noticeable! I didnā€™t have to set anything up during install, but presumably W11 did it through TPM2 and key on OneDrive/MS account (which Iā€™m fine with since Iā€™m only concerned with convenient physical access; MS account is secure).

With this though, I didnā€™t want encryption on that OS install. But since MS enforced it, Iā€™m at least content with it not requiring anything extra (trim worked, TPM2 I have on since W11 generally requiring it, no extra passwords at boot).


And any enforced encryption on Linux absolutely has to allow me to simply mount it from a Linux LiveUSB for data recovery/backup; GNOME Disks or GUI file manager, enter a password, done kind-of ordeal. If I have to command-line it and research, that might be done once before I donā€™t entertain encryption or the distro that enforced it ever again. I ran into about an hour of fun (without success) trying to recover FreeBSD with ZFS root from a Linux LiveUSB, without encryption :stuck_out_tongue: (UFS was easier)

Basically, I donā€™t think encryption should be enforced, but Iā€™d tolerate it as a default setting as long as I can still do Custom partitioning in Anaconda to do Standard partitioning without encryption on basic ext4/XFS/F2FS root partitions.

I have an unpopular take here: Make it opt-out, and make it TPM-backed, like Ubuntu is doing now, with a fallback to standard password-based unlocking if we canā€™t detect a TPM. No issues with lost passwords, and itā€™s completely transparent to the user.

I disagree.

ā€˜Opt Outā€™ would catch many inexperienced users and potentially cause much more confusion and problems with having to have the passphrase remembered from the very beginning.

ā€˜Opt Inā€™ seems a better choice with clear documentation as to how to manage it.

Many of us ā€˜old fogiesā€™ that have been using linux for a long time really hate being forced into a change and we want to have the choice at our own pace.

One (of many) reasons I chose to leave windows years back was the cavalier attitude that Microsoft knows what is best for their users and forces updates monthly with the user having no options. ā€˜Opt Outā€™ on encryption would be a step in the same direction.

ā€˜Opt Outā€™ forces a decision at installation time, and the need for encryption really depends upon our use case. Being forced to encrypt the OS is taking the option away from the inexperienced and the option can potentially be overlooked with disastrous consequences.
At present it is already ā€˜Opt Inā€™ since we can choose to perform the encryption when doing the installation.

TPM backed is another issue since that could potentially tie the OS as installed to exactly one piece of hardware as MS has done for their OS to ensure users pay their licensing fees. At present Linux can be installed, then the drive relocated to another machine with no problems. If TPM linked and hardware identifying information is required to unlock this would no longer be the case.

Possibly TPM may fit some use cases, but certainly not all.

3 Likes

Not to be that person, but if youā€™re an ā€œold fogieā€ as you said, who dislikes change, why do you use Fedora (one of the most leading-edge, forward distros around)? Genuinely curious! ^w^

Iā€™ve definitely come around to seeing this perspective. I always assumed that the average Fedora user was decently experienced, and wouldnā€™t have as many issues with a change like this-- but thatā€™s just not true, Fedora is for everyone. (which is great!)

Yeah, IIRC macOS doesnā€™t do anything like FDE by default, but you can enable FileVault to turn it on, and itā€™s tied to your login (user) password. Apple also (again, IIRC) enables backing up the FileVault recovery key to iCloud by default.

EDIT: It looks like recent Macs (T2 and M-series) have ā€œencryptionā€ by default, but itā€™s not specified on Appleā€™s FileVault page what that entails.

I love staying up to date. I merely hate the forced changes that can happen behind the scenes and take the choice away from a user who may not be fully up to date on the planning.

A recent change that added the forced ā€˜suspend after 15 minutes idleā€™ was a perfect example. It broke using home computers as media servers and broke remote access for many. The only apparent exception was the server edition. For others it required a manual config update to restore the 'always available 24 hours a day ā€™ that they were used to. For systems that were managed remotely it required someone locally to wake up the system before it could be accessed and reconfigured.

Encryption could also break access for those who may have difficulty in remembering passwords or access steps.

2 Likes

I love encryption on everything and multiple verification methodsā€¦ I guess i am freak and somehow paranoid on security, encryption, security, but i still think encryption option should be optin/optout so everyone can choose there threat modelā€¦

I would live to see TPM implementing and hardware key unlocks (yubikey) backup long ass recovery key

This cones from openSUSE aeon i like how they have developing that method primary TPM then long recovery key and optionally yubikeys etc as backups

FWIW, you might not want to use a YubiKey. Their USB plug is a PITA and their firmware is non-free (proprietary). Nitrokey has an actual USB plug and all of their code is free as in freedom. IIRC Purism (Librem 5 people, they employ several GNOME folks) also hass a competitor to YubiKey, but I canā€™t speak on it.

EDIT: It looks like the Librem Key is something different meant for hardware encryption keys specifically. You might still want to check it out.

Yeah there is many option for fido2 keys just not yet well i am considering. Also duress password is awsome should be on linux too 3 times wrong locks system and wipes data can be recovered from full system back if wants i have that enabled on my phone where i can enter duress password or pin code on anywhere and it locks screen and wipes data same happends if 3 times wrong password/pincode

1 Like

Can someone list the parts of the operating system worth hiding/encrypting?

What needs encrypted depends entirely on your use case.

Mostly the personal data should be encrypted and possibly the apps installed may offer insight into what is being done on that computer. Definitely any data (such as databases or VM systems) that are stored in the OS area and not in a users personal data space wold be candidates.

In general, when using fedora with luks it encrypts by default the entire OS and user space. The only part that is not encrypted by default is the efi partition (/boot/efi) and /boot since both those must be readable by the bios and boot loader (grub & equivalent) to perform the boot.

If you have a laptop and it ever leaves your home/car/whatever you live in, you should probably be using full disk encryption in case it gets lost or stolen. Without it, itā€™s easy enough to extract the contents of your SSD and exfiltrate important data, or even mount the contents as a VM image and boot into it. Since they have full filesystem access, they can easily remove things like user passwords too.

Fedora should offer encryption for homeand other partitions but with permission if user what just like what we see for android.
Encryption should be default.without user knowledge users should be protected.
Users dont even know that there device is encrypted and all know they loose data if they forget password.

This was my primary topic when I was asking for the implementation of encryption by default

1 Like

I do also fit in that category. I do agree that transparency is better than a silent enforcement.

The situation where @computersavvy is mentioning, could indeed have been a smoother transition. It should have been announced as an official change request and afterwards should have been made a test week/tests of this power functions, to avoid all this inconveniences it caused for a lot of users and helpers here.

Fedora Community is welcoming all kind of persons. This includes newbies and such users where move from one OS to an other etc.

That is not the correct way to ask for implementation. Please read the manual and study the links I made.

And please, next time you ask alias throw something like this in the round, respect the Categoryā€™s as they are made for.

As I remember you have been here while we made the migration from ask to discussion being a subcategory if it. Users from Discussions had the preoccupation that we will bother the teams with discussions like this. Bringing Arguments, without believing have any responsibility, to implement such a spin to see how it would work. Without using any official procedures as we use here in the community.

You have been informed many times, not using the Project Discussion category. If you want to make some chit-chat as this discussions mostly are please use the The Water Cooler for that.

I will close this topic now and hope the next who brings it up will make a concrete change request and takes the responsibility to carry it on, and also makes the support when we run into issues as mentioned here.

Just telling the others what they have to do is easy, but not really the spirit of Opensource.

4 Likes