The Fedora Development Group for Working Stations is planning to implement encryption by default for system sections and user home catalogs. This move follows the footsteps of the recent push towards digital security and privacy. Owen Taylor, creator of Gnome Shell and Pango Library, is part of the group leading this initiative.
The encryption plan will utilize BTRFS FSCRYPT for encryption. For system sections, the encryption keys will be stored in a TPM module and linked to digital signatures used to check the integrity of the bootloader and other components like nucleus and Initrd. This means that users will not need to enter a password to decrypt the system sections during the bootup process. For home catalogs, the keys will be generated on the basis of the user login and password, and the encrypted home directory will be linked during login.
However, the successful implementation of this plan is reliant on the distribution transition to the unified image of the UKI nucleus (Unified Kernel Image). The UKI combines the nucleus from UEFI (UEFI Boot Stub), the image of the Linux nucleus, and the Initrd system environment. Without UKI support, it is impossible to guarantee the immutability of the contents of the Initrd environment, which is responsible for the keys to decipher the FS. For instance, an attacker can replace the Initrd and simulate a password request to avoid loading the entire chain before the FS mount.
In the current form, there is an option of using DM-Crypt to encrypt sections at a block level during the Fedora installer. However, this solution poses various challenges, such as lack of support for internationalization and means for people with disabilities, susceptibility to attacks through the bootloader, and the need to support Framebuffer In Initrd to withdraw a password request.
Overall, the group hopes that encryption by default will ensure data protection in case of the theft of a laptop and maintain confidentiality and integrity without the need for unnecessary manipulations.