Owen Taylor, creator of GNOME Shell and the Pango library, and a member of the Fedora for Workstation Development Working Group, has put forward a plan for encrypting system partitions and user home directories in Fedora Workstation by default. The benefits of moving to encryption by default include protecting data in the event of a laptop being stolen, protecting against attacks on devices left unattended, maintaining confidentiality and integrity out of the box without the need for unnecessary manipulation.
In accordance with the prepared draft plan, they plan to use Btrfs fscrypt for encryption. For system partitions, encryption keys are planned to be stored in the TPM module and used in conjunction with digital signatures used to verify the integrity of the bootloader, kernel, and initrd (that is, at the system boot stage, the user will not need to enter a password to decrypt system partitions). When encrypting home directories, they plan to generate keys based on the user's login and password (the encrypted home directory will be connected when the user logs into the system).
The timing of the initiative depends on the transition of the distribution kit to the unified kernel image UKI (Unified Kernel Image), which combines in one file a handler for loading the kernel from UEFI (UEFI boot stub), a Linux kernel image and the initrd system environment loaded into memory. Without UKI support, it is impossible to guarantee the invariance of the contents of the initrd environment, in which the keys for decrypting the file system are determined (for example, an attacker can change the initrd and simulate a password request, to avoid this, a verified boot of the entire chain is required before mounting the file system).
In its current form, the Fedora installer has an option to encrypt partitions at the block level with dm-crypt using a separate passphrase that is not tied to a user account. This solution notes such problems as unsuitability for separate encryption in multi-user systems, lack of support for internationalization and tools for people with disabilities, the possibility of performing attacks through bootloader substitution (a bootloader installed by an attacker can pretend to be the original bootloader and request a decryption password), the need to support framebuffer in initrd to prompt for a password.
Source: opennet.ru