Disk Encryption

WARNING

This page is work in progress and more details are needed. There is no open issue regarding encryption on GitLab.

Encryption

Disk encryption protects data when the device is off. LUKS2 is used to encrypt disks, allowing full-disk encryption (FDE).

Setting up LUKS2 FDE

Kickstart is a config file, which works with Anaconda to instal the system. The kickstart config file (config.toml) partitions the disks and sets up FDE (the /boot partition remains unencrypted).

Unlocking LUKS2 volumes

LUKS2 volumes can be unlocked by a passphrase or hardware security tokens. By default, it can be unlocked using a passphrase. The default passpharse of the LUKS2 volume is euos. The default LUKS2 passphrase can be changed after installation, however as the project progresses, a strong passphrase could be generated during partitioning. Hadware security keys serve as an alternative to passphrases and are very convenient. systemd-cryptenroll is used to enroll hardware security tokens, such as TPM, FIDO2 and PKCS#11 devices. Currently, FIDO2 is supported to unlock the LUKS2 FDE volume at boot.

Enroll your FIDO2 device:

sudo systemd-cryptenroll --fido2-device auto /dev/<device, i.e. nvme0n1p3>

Add kernel argument to tell the initrd to use FIDO2:

sudo rpm-ostree kargs --append rd.luks.options=<LUKS device ID>=discard,fido2-device=auto

Disk Encryption ​

Encryption ​

Setting up LUKS2 FDE ​

Unlocking LUKS2 volumes ​

Enroll your FIDO2 device: ​

Add kernel argument to tell the initrd to use FIDO2: ​