Encrypted root partitions in Fedora 9

Note: This information is obsolete and is maintained for historical purposes only. To encrypt your Fedora Core system, check the “Encrypt system” checkbox during installation.

Well, after some two years, we’ve finally gotten encrypted root filesystem support into Fedora. (And it’s been far too long since I’ve updated this site; sorry.)

The good news is you’ll be able to set up encryption during the installation of a new system. You don’t have to install and then convert it anymore.

The bad news is it’s got bugs. Though I suspect they will be worked out before release.

Here’s a quick walkthrough of what installation with encrypted partitions is going to look like in Fedora.

First thing to do is decide whether you want the system encrypted in the first place.

In the installer as it is now, encryption is enabled by default. If you bypass this screen without looking, you may wind up surprised later. But, if you’re reading this, probably you won’t be.

Then you select your desired passphrase. (If you want to store a key on external media, such as USB stick, you can delete the passphrase and set this up after first boot.)

One thing to note is that Fedora prompts very early in the boot process for the encryption passphrase, and at the time the prompt is shown, no keymap has been loaded, so the system is using the default U.S. keymap. This means you won’t be able to type the passphrase correctly if you have a non-U.S. keyboard. You can probably work around this issue by selecting a U.S. keymap during installation, avoiding any odd characters in the passphrase you set, and selecting the keyboard map you really want during first boot.

If you select to review your partition layout, you’ll notice that the entire LVM PV is encrypted. This was done for ease of use and some other reasons.

But if you’re one of the 5 or 6 people (like me) who have been testing this functionality for the last two years, you probably have encrypted LVs instead. These will continue to be supported, and the installer should read them and prompt you for your passphrase when you perform your upgrade to Fedora 9. If not, it’s a reportable bug, so please test this.

Unfortunately, anaconda (the installer) still has some bugs.

Here, we see that it’s failed to create the encrypted PV. This bug has been reported already and should hopefully be fixed by the time Fedora 9 is released.

(By the way, anaconda can dump that traceback to a remote host via ssh. This is a nice touch; the last time I saw anaconda break, there was no way to get the traceback saved.)

As you probably know, I’ve been using an encrypted root filesystem (using encrypted LVs; the encrypted PV functionality is very recent) for a couple of years now. I’m looking forward to this installation issue to get sorted out so that I can more thoroughly test it and convert my own system to encrypted PV. (And I have to repartition the disk to reinstall Windows Vista with BitLocker anyway, but that’s another story.)

Aside from the keymap issue, there are some other caveats to using the feature right now, though. You may have trouble if you use a right-to-left language, such as Arabic or Hebrew. You also can’t hibernate your Fedora 9 system, even though the Hibernate button is shown; the computer won’t resume correctly. You must suspend, or shut down, until this functionality is added.

Even with the bugs and missing features needing to be added, I’m glad to see this feature finally come to fruition. Fedora is, unfortunately, one of the last major Linux distributions to gain this long-demanded capability, and I’m glad I don’t have to make RPMs for people anymore.