What is encryption?

In cryptography, encryption is encoding information so that only authorized parties can read it. Encryption doesn’t necessarily prevent someone else from getting access to your data. However, if they do, it can prevent that data’s content from being read. Encryption transforms the intended information, referred to as plaintext, using an algorithm into ciphertext that’s only readable if decrypted.

Why should I encrypt?

Encryption is important because it allows you to securely protect data you don’t want anyone else to access. Businesses use encryption to protect corporate secrets. Governments use it to secure classified information. And many individuals use encryption to protect personal information, guard against identity theft, or wipe media before replacing it.

By default Fedora and most Linux Distribution come with LUKS, the Linux Unified Key Setup system. LUKS manages encryption on storage devices such as hard disks.

Cryptography lesson: Why use a strong passphrase?

This part’s for cryptography geeks. You need to set a strong passphrase because Fedora’s default implementation of LUKS uses AES-256 with a SHA-256 hashing to encrypt the disk volume. It also has a cipher feedback to help protect it from frequency attacks and others attacks that target statically encrypted data. As an algorithm, AES has been proven by cryptanalysis testing as secure. The weakness actually lies within the cipher and the software that passes keys to the cipher. Specifically, the risk lies in the keystore, which is stored in the header of the volume. The keystore is secured by a passphrase, which is open to things like dictionary or brute force attacks. If such an attack was successful at guessing your passphrase, it would decrypt the keystore. Using longer, more complex, non-word passwords reduces the chance of this happening.

Encrypting your Fedora system

Step One: Install Fedora 24 on 32 and 64-bit AMD and Intel

If you decide to encrypt your Fedora system’s storage, you can do so with the Anaconda installer during setup. Check the option for Encrypt my data.

After you confirm, you must create a an encryption passphrase. Note: The best encryption can be easily broken if you choose a weak password! Choose one easy for you to remember, but difficult for others to guess. Consider using a tool like KeePass or the pwgen command-line tool, which is described later.


Step Two: Change your passphrase

If you’re unable to copy and paste a strong password, such as when using Virtual Machine Manager, choose a simple one and change it immediately after the first reboot. To replace your temporary password with a random passphrase, you can use the KeePass tool; alternatively, use the pwgen utility by running the following commands:

# dnf install pwgen -y
# pwgen -C 10

Once you have your strong passphrase, run:

# cryptsetup luksAddKey /dev/sda2

The result should look something like this:

Screenshot from 2016-07-23 19-13-31

After you’ve added the new passphrase, kill the old/weak passphrase slot:

# cryptsetup luksKillSlot /dev/sda2 0

Then, to confirm, enter the strong passphrase you just added:

Screenshot from 2016-07-23 19-14-32

Learning more

For more information about encrypting your Fedora system at installation time, consider reviewing the official Installation Guide and the Disk Encryption User Guide on the Fedora Wiki.