Mike <mike.cloaked <at> gmail.com> writes:Can any experts who know about this comment please? If disk encryption using dm-crypt/luks is not fully supported then what tools or changes might be required within the distribution to properly support this facility? Is this going to get more support in F9?No-one interested in disk encryption? It is I understand supported well in Ubuntu! Fedora should be just as secure in this regard - surely?
I'd just add that in most companies and government agencies these days require laptops be encrypted - even retail stores do these days - so it would be nice if it worked better out of the box. We are not there yet.
Encrypted swap can be made to work using luks and /etc/crypttab - which does work fine. There is a warning at boot about the swap device not being able to be resumed - which while a true statement is irrelevant in a cold boot setting. But it encrypted swap does at least work and is quite straightforward to set up. (You cannot use sleep/hibernate/freeze resume however).
Be warned however that upon fresh install of F8 the swap partition will be used as regular swap which you need to fix again by hand after you have installed F8. To be safe one should rerandmomize the swap partition to avoid information leakage. Anaconda knows nothing about encrypted anything - including swap or any partition.
Encrypted partitions (in F7) such as /home do not work correctly when in /etc/crypttab - the passphrase cannot be entered - and it is asked multiple times .. anyway there is a work around using a hand crafted script out of /etc/rc.local. I have not tried this in F8 but I doubt it is any different.
Encrypted root has no chance yet - at a minimum it requires the updated mkinitrd.
It is my current view that encrypted root - while appealing in some ways - may be more problematic than its worth. And that encrypting swap and /home in addition to doing a mount --rebind of /tmp and /var/tmp onto the encrypted partition is pretty reasonable from a security standpoint. And it is workable on fedora - albeit by hand. And will ensure your laptop is always bootable - which is a nice benefit!!