For years Fedora provides disk encryption option in basic installer configuration. The LUKS (Linux Unified Key Setup), implemented through cryptsetup library, provides convenient way to configure such a basic disk-encrypted systems.
In this presentation we will focus on new requirements for deploying disk encrypted storage in modern systems. We will present the new LUKS2 format definition that will allow implementation of these requirements in future.
These requirements are both technical (for example integration to an enterprise key management systems) but also based on new advancements in cryptographic algorithms (for example new key-derivation functions more resistant to massive parallel systems used by attackers for password cracking).
Another current requirement is an ability to change encryption parameters without need of complete disk re-formatting. We will describe prototype of a re-encryption tool that allows such a change on a fully running system without any downtime.
Last but not least we will mention some interesting answers from users participating on a survey questionnaire focused on usage of disk-encryption systems.
I'm software engineer working for Red Hat in storage/LVM team and also RHEL cryptsetup maintainer.You can discuss cryptsetup, LUKS2 and reencryption with me.
