



Switch cryptsetup default metadata format to LUKS2

Summary

The change switches Fedora system default metadata format for full disk encryption from LUKS1 to LUKS2. It mostly involves cryptsetup package and Anaconda installer so that both creates new LUKS2 containers by default.

Owner

Name: Ondřej Kozina and Vendula Poncova

Email: okozina AT redhat DOT com, vponcova AT redhat DOT com

Release notes owner:

Current status

Targeted release: Fedora 30

Last updated: 2019-01-21

Tracker bug: #1668013

Release notes tracker: #282

Detailed Description

The LUKS2 is evolution of current LUKS standard for software full disk encryption. It's enabler for new features: introduces new Argon2 kdf (alongside current PBKDF2) for keyslots, better support for auto-activation, support for wrapped key ciphers (paes cipher), experimental authenticated encryption. Plus coming new features (online-reencryption).

The LUKS2 format is available and supported since cryptsetup release 2.0.0 (included in Fedora 28).

Benefit to Fedora

Scope

Proposal owners:

Ensure LUKS2 is declared default in upstream (owner is involved in upstream development). Currently upstream aims for LUKS2 being default in cryptsetup-2.1 (next release). We can switch it even before cryptsetup 2.1 release by overriding the default via configuration switch, but owner would prefer upstream default way.

Other developers:

Installer (Anaconda & co) should adapt to the change (and create new LUKS2 containers by default if user selects "encrypted storage" during installation).

Release engineering: #8028 List of deliverables: N/A (not a System Wide Change)



Policies and guidelines:

Trademark approval: N/A

Upgrade/compatibility impact

There should be none with regard to currently supported Fedora distributions. Both Fedora 28 and 29 provides cryptsetup-2.0.6 (at least via updates streams) that is fully compatible with LUKS2 format. LUKS1 stays to be fully supported even with LUKS2 being new default.





How To Test

Basically there will be two areas to test:

cryptsetup luksFormat command creates LUKS2 devices by default

Anaconda installs on LUKS2 devices by default when users selects "encrypted storage" option.

In general this test plan should not cover bugs related to LUKS2 format itself. Those bugs should be covered by development testsuite shipped with cryptsetup package.





User Experience

The everyday experience should not be affected by the change in any way. The basic LUKS2 operations (open, close, add new keyslots, remove keyslot) is handled via same CLI.

More experienced users gain access to new features with default installation as stated in detailed description.

Dependencies

Currently only Anaconda installer. It would be inconvenient to install Fedora (encrypted storage) using different LUKS format by default if cryptsetup used LUKS2. The contact person is listed among Owners of this change.

Contingency Plan

Contingency mechanism: Stay with LUKS1 format as default

Contingency deadline: Beta freeze

Blocks release? No

Blocks product? N/A

Documentation

LUKS2 specification document



