Written by Michael Larabel in Fedora on 3 April 2023 at 06:41 PM EDT. 38 Comments

Fedora Workstation developers and those involved at Red Hat have been working to improve the state of disk encryption on Fedora with a end-goal of possibly making the installer encrypt systems by default.

While many Linux distributions allow for full-disk encryption these days, not many distributions enable it by default (Pop!_OS being among the rare that actively encourage it) while it looks like in the future Fedora Workstation could default to having its installer encrypt the disk.

Pop!_OS does a great job actively encouraging encryption on new installs.Owen Taylor of Red Hat laid out a mailing list post and Discourse thread today around the future of encryption with Fedora. With the encryption planning is also to have the encryption key stored in the system's Trusted Platform Module (TPM) and to also sign the bootloader/kernel/initrd with the TPM signatures. This work in turn is dependent upon the ongoing Unified Kernel Image support with Fedora and upstreams like systemd.

The Fedora Workstation plan would be to use the upcoming Btrfs fscrypt support for encrypting both the system and home directories. Fedora Workstation in the future could by default enable Btrfs FSCRYPT system and home directory encryption and store the keys in the TPM.More details on these tentative plans -- that are still subject to change and timing as well as needing formal FESCo approval -- can be found via this mailing list thread and the Fedora Discussion.

Overall this is a good move for Fedora Workstation. Especially for laptops I for years have actively encouraged making use of disk encryption. Especially with modern processors and storage drives, encryption costs are very low and worthwhile for those actively taking their laptops with them as well as other desktops/workstations with sensitive data to physical theft, etc. It will be interesting to see how (and when) the Fedora encryption-by-default plans materialize.