Switch cryptsetup default metadata format to LUKS2
Summary
The change switches Fedora system default metadata format for full disk encryption from LUKS1 to LUKS2. It mostly involves cryptsetup package and Anaconda installer so that both creates new LUKS2 containers by default.
Owner
- Name: Ondřej Kozina and Vendula Poncova
- Email: okozina AT redhat DOT com, vponcova AT redhat DOT com
- Release notes owner:
Current status
- Targeted release: Fedora 30
- Last updated: 2019-01-11
- Tracker bug: <will be assigned by the Wrangler>
Detailed Description
The LUKS2 is evolution of current LUKS standard for software full disk encryption. It's enabler for new features: introduces new Argon2 kdf (alongside current PBKDF2) for keyslots, better support for auto-activation, support for wrapped key ciphers (paes cipher), experimental authenticated encryption. Plus coming new features (online-reencryption).
The LUKS2 format is available and supported since cryptsetup release 2.0.0 (included in Fedora 28).
Benefit to Fedora
Scope
- Proposal owners:
Ensure LUKS2 is declared default in upstream (owner is involved in upstream development). Currently upstream aims for LUKS2 being default in cryptsetup-2.1 (next release). We can switch it even before cryptsetup 2.1 release by overriding the default via configuration switch, but owner would prefer upstream default way.
- Other developers:
Installer (Anaconda & co) should adapt to the change (and create new LUKS2 containers by default if user selects "encrypted storage" during installation).
- Release engineering: #8028
- List of deliverables: N/A (not a System Wide Change)
- Policies and guidelines:
- Trademark approval: N/A
Upgrade/compatibility impact
There should be none with regard to currently supported Fedora distributions. Both Fedora 28 and 29 provides cryptsetup-2.0.6 (at least via updates streams) that is fully compatible with LUKS2 format. LUKS1 stays to be fully supported even with LUKS2 being new default.
How To Test
Basically there will be two areas to test:
- cryptsetup luksFormat command creates LUKS2 devices by default
- Anaconda installs on LUKS2 devices by default when users selects "encrypted storage" option.
In general this test plan should not cover bugs related to LUKS2 format itself. Those bugs should be covered by development testsuite shipped with cryptsetup package.
User Experience
The everyday experience should not be affected by the change in any way. The basic LUKS2 operations (open, close, add new keyslots, remove keyslot) is handled via same CLI.
More experienced users gain access to new features with default installation as stated in detailed description.
Dependencies
Currently only Anaconda installer. It would be inconvenient to install Fedora (encrypted storage) using different LUKS format by default if cryptsetup used LUKS2. The contact person is listed among Owners of this change.
Contingency Plan
- Contingency mechanism: Stay with LUKS1 format as default
- Contingency deadline: Beta freeze
- Blocks release? No
- Blocks product? N/A
Documentation