Wiki - https://fedoraproject.org/wiki/Changes/SelfEncryptingDrivesSupportInAnaconda Discussion thread - https://discussion.fedoraproject.org/t/f41-change-proposal-self-encrypting-drives-support-in-the-installer-self-contained/125529 This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Add optional support for using native hardware encryption on TCG OPAL2 compliant drives when configuring disk encryption in the installer. == Owner == * Name: [[User:vtrefny| Vojtech Trefny]] * Email: vtrefny AT redhat.com * Name: [[User:okozina| Ondrej Kozina]] * Email: okozina AT redhat.com * Name: [[User:jkonecny| Jiri Konecny]] * Email: jkonecny AT redhat.com == Detailed Description == Some SATA and NVMe devices support hardware encryption (TCG OPAL2 standard) and with the latest cryptsetup LUKS devices can be configured to use hardware encryption to encrypt the data either by itself or together with the existing dm-crypt software encryption. Support for this feature was added in the latest cryptsetup upstream release and we'd like to provide an option for users to use this feature when installing Fedora with disk encryption. As this is an expert option, it will be available only through the kickstart interface. The existing --luks-version option which allows choosing between LUKS1 and LUKS2 versions when configuring device encryption will be extended to enable using hardware encryption. There will be two new options to select either hardware encryption only or hardware encryption in combination with software encryption (analogous to the `--hw-opal-only` and `--hw-opal` options used when configuring hardware encryption with `cryptsetup`). Using hardware encryption only can be beneficial on low-performance systems where utilising the CPU to encrypt the data when reading/writing from/to the disk can significantly affect the system's performance. Using both software and hardware encryption layers increases the security margin by adding an additional layer of protection. Note: We'd like to emphasize that we do not intend to enable this feature by default, it must be explicitly selected by the user. Using the option to set up only hardware encryption can be risky as it places the trust fully in the disk manufacturer's ability to implement the data encryption in the disk firmware correctly. == Benefit to Fedora == == Scope == * Proposal owners: ** This feature is not yet implemented in the upstream so we'll need to add support for the new LUKS-OPAL format to both the backend storage libraries (blivet and libblockdev) and the installer itself. As this is only expanding and existing feature (disk encryption) already present in the installer, the changes will be relatively small (especially in the installer itself). * Other developers: ** No work from other developers should be needed. * Release engineering: [https://pagure.io/releng/issues #Releng issue number] * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with the Fedora Strategy: <!-- Does your proposal align with the current Fedora Strategy: https://discussion.fedoraproject.org/t/fedora-strategy-2028-february-march-planning-work-and-roadmap-til-flock/43618 ? It's okay if it doesn't, but it's something to consider --> == Upgrade/compatibility impact == This change will affect only new installations. == How To Test == A special hardware is required for testing -- you need a disk that supports the OPAL specification. You can check for OPAL support using the `sedutil-cli` utility (provided by the `sedutil` package), simply run `sudo sedutil-cli --scan` to scan for OPAL compliant disks. Because this feature is not configurable from the GUI you need to run a [[Anaconda/Kickstart|kickstart installation]]. Sample kickstart file for encrypted automatic partitioning is shown below. autopart --type=lvm --encrypted --passphrase="passphrase" --luks-version=luks2-hw-opal --opal-admin-passphrase="..." (The exact syntax might change, we'll provide more detailed kickstart files for testing later.) After the installation check that the correct setup for LUKS was used by running `sudo cryptsetup luksDump <device>`. Check the `Data segments` section, it should say either `hw-opal-crypt` for combination of hardware and software encryption LUKS header information Version: 2 ... Data segments: 0: hw-opal-crypt or `hw-opal` for hardware encryption only LUKS header information Version: 2 ... Data segments: 0: hw-opal (`crypt` is shown for software encryption only which is default behaviour). == User Experience == After the installation users shouldn't notice any differences, the system will behave in the same way as with "normal" disk encryption. == Dependencies == Following projects needs to be changed for this feature: [[Anaconda|anaconda]], [[Blivet|blivet]], kickstart, libblockdev. All necessary changes will be done by the change owners. cryptsetup with the LUKS-OPAL support is already available in Fedora 41 and no other changes will be needed for the support in the installer. Once configured the LUKS-OPAL device works in the same way any other "normal" LUKS devices work so there is no need to change any other tools for this feature to work (e.g. unlocking the LUKS-OPAL device doesn't require special configuration). == Contingency Plan == * Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change) ** No specific contingency plan is needed, we will simply not include the feature if we fail to implement all the necessary changes in time. * Contingency deadline: N/A (not a System Wide Change) * Blocks release? No == Documentation == * cryptsetup 2.7.0 release notes describing the feature: https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.0-ReleaseNotes * DevConf.cz talk about self-encrypting drives: https://pretalx.com/devconf-cz-2024/talk/PMLHGN/ == Release Notes == -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
