Disk Encryption

[heywoodlh]

LUKS disk encryption would be a nice-to-have option with the installer. However, I can understand this potentially not being an option as the installer has to play nicely with the existing APFS filesystem.

Perhaps systemd-homed using LUKS as the storage mechanism could be considered as a compromise as the user's home directory (perhaps the most relevant part of the filesystem to keep private) would be LUKS encrypted. It wouldn't be full-disk encryption, but still could get some of the way there for user's hoping to have an additional layer of security. However, I could understand this being undesired as it can introduce some complexity and unforeseen complications.

P.S. thanks for all the work that's gone to Asahi. It's so well thought out and I appreciate how polished it is despite being in Alpha. I can't wait for the finished product.

EDIT:

I want to add that for users who want to convert their existing user's home directory to systemd-homed, there is a migration guide

However, there are some constraints on the partition that need to be met for systemd-homed to work with LUKS as the storage mechanism. I'm not sure if the way the partitions are setup in the installer would meet the requirements. I'm just adding this because I'm not sure if these constraints would invalidate the ability to use systemd-homed with Asahi's installer.

[b-crumb]

I would like to add on to this that I have for now written a relatively OK bunch of notes which should be sufficient to explain to anyone how to set up LUKS... this could be added to the wiki.

https://github.com/b-crumb/asahi-luks-notes/blob/main/ASAHILUKS.md

[davidalger]

For those using an Asahi Fedora remix, I posted a how-to on my blog covering the entire process of install, LUKS encryption, configure grub, rebuild initramfs, etc.

https://davidalger.com/posts/asahi-fedora-workstation-on-apple-silicon-with-luks-encrypted-root/

TL:DR; The LUKS encryption part itself is done in-place while booted from a Fedora USB drive allowing the Fedora root partition to remain unmounted:

1. Shrink the btrfs filesystem by 32 MiB

2. Encrypt in-place using cryptsetup

   cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/nvme0n1pX
   

3. Add the volume to /etc/crypttab

4. Update grub config adding rd.luks.uuid=LUKS_UUID to GRUB_CMDLINE_LINUX and rebuild initramfs using dracut in a chroot.

[iMonZ]

I am not sure but I think this was added to the installer. Can someone confirm this please?

[davide125]

Encryption is not supported in the installer at the moment. There is an old WIP branch at AsahiLinux/asahi-installer#240

[cortadocodes]

I'd love to switch to Asahi Linux but full-disk encryption is a basic security requirement for many workplaces. MacOS, Windows, and most phones have this available as standard. I love the work you've done but I'm not sure I can switch if this isn't implemented - I think it's a must-have, not a nice-to-have. Is there a timeframe on AsahiLinux/asahi-installer#240 and is it implementing full-disk or just home directory?

[MarcusWentz]

Updates on this? I know several people not trying out Asahi Linux yet since this critical security feature isn't added yet.

[tombh]

I wonder if we should change the title? Disk encryption is and always has been supported in Asahi. The issue is that it has to be set up manually, which whilst requiring some technical knowledge isn't any harder than say how you would do it in Arch Linux. Here are some guides:

• https://davidalger.com/posts/fedora-asahi-remix-on-apple-silicon-with-luks-encryption/
• https://github.com/b-crumb/asahi-notes/blob/main/December%202022/notes.md#LUKS

So what about if the title was changed to: "Installer option to automatically set up disk encryption"?

[cortadocodes]

@tombh do those result in full disk encryption rather than just home directory encryption? If so, I think the title should be "Installer option to automatically set up full disk encryption"

[tombh]

Yes. The guides use LUKS, which is kernel-level full disk encryption. And I am writing to you now from a LUKS-encrypted Asahi install.

[vedmant]

That's probably the main reason why I can't use Asahi as alternative to main OS secure environment. Manual LUKS setup is pretty complicated, requires booting from a separate USB drive, which I need to buy just to setup LUKS. And maybe an hour or two of my time to do this all.

BTW, someone already had a security problem with non encrypted disk https://news.ycombinator.com/item?id=39941021 , I think encryption must be a default option when installing any OS.