Future of Encryption in Fedora (Silverblue version)

[travier]

This tracks the work to enable encryption/integrity by default in Fedora Silverblue (an related rpm-ostree variants).

See:

• https://discussion.fedoraproject.org/t/future-of-encryption-in-fedora/80397
• https://pagure.io/fedora-workstation/blob/master/f/notes/encryption.md

Sub-tickets

• https://fedoraproject.org/wiki/Changes/Unified_Kernel_Support_Phase_1
• https://fedoraproject.org/wiki/Changes/Unified_Kernel_Support_Phase_2
• Support UKI ostreedev/ostree#2753

Related issue

Collection of issues related to LUKS support in Silverblue:

• InitramFS Generation with Paired Bluetooth Device Metadata coreos/rpm-ostree#4214
• LUKS unlock screen always uses en-US keyboard layout #3
• Upgrade LUKS key derivation function on (major?) updates #455
• Document the use of FIDO2 devices to unlock LUKS volumes #431
• New Package Request: clevis clevis-dracut clevis-udisks2 #409
• Include tpm2 support in the image #369
• Enable fstrim on LUKS encrypted partitions #31

[ghost]

I would like to add here if it's possible to securely add some sort of "passwodless unlock", i know it exist usage of yubikey for it, but last time i used it it needed to enable the local generation of initramfs to work (on silverblue), and the key was stored with a criminally low iteration of PBKDF2

Many friend of mine don't use Luke because they don't wan't to enter a password at each boot so it may be interesting to take it in account.

[ullebe1]

I would like to add here if it's possible to securely add some sort of "passwodless unlock", i know it exist usage of yubikey for it, but last time i used it it needed to enable the local generation of initramfs to work (on silverblue), and the key was stored with a criminally low iteration of PBKDF2

Many friend of mine don't use Luke because they don't wan't to enter a password at each boot so it may be interesting to take it in account.

With modern systemd it is possible to unlock LUKS2 volumes using any hardware token that supports FIDO2 and the hmac-secret extension, which at least modern Yubikeys do. I personally use this on Fedora Silverblue 38, and while integration with Plymouth isn't perfect, it works great for the most part.

[ghost]

I would like to add here if it's possible to securely add some sort of "passwodless unlock", i know it exist usage of yubikey for it, but last time i used it it needed to enable the local generation of initramfs to work (on silverblue), and the key was stored with a criminally low iteration of PBKDF2
Many friend of mine don't use Luke because they don't wan't to enter a password at each boot so it may be interesting to take it in account.

With modern systemd it is possible to unlock LUKS2 volumes using any hardware token that supports FIDO2 and the hmac-secret extension, which at least modern Yubikeys do. I personally use this on Fedora Silverblue 38, and while integration with Plymouth isn't perfect, it works great for the most part.

i know but it require to add a local gen of initramfs, it's why i ask fedora to do it in the normal image and propose it into the installer would be nice).