The change switches Fedora system default metadata format for full disk encryption from LUKS1 to LUKS2. It mostly involves cryptsetup package and Anaconda installer so that both creates new LUKS2 containers by default.
I see two potential issues: - somebody installs a system with LUKS2 and than tries to access it from an older installation that does not support LUKS2. Realistically, I don't think this is a big issue, since one needs to go back all the way to F27, and F27 EOL already. - lack of support for the new format in some other tools. It is always possible that we will discover some issues, but this will not happen until we do the switch. Hence, a good time to do the switch would be now-ish, long before we get to the beta freeze.
+1
+1 and I agree with @zbyszek: please make the switch as soon as this ticket is approved.
I feel the the change proposal is lacking background on the stability status of LUKS2 - when was the feature added to the LUKS codebase? What testing has been done? is it being used anywhere in production? It also is missing any indication of what happens to existing installs (I assume they stay LUKS1 indefinitely?)
If it's something that only affects new Anaconda installs, then it may take a long time to get a significant amount of testing - especially in more corner case configurations, so certainly the sooner in the cycle the better.
@zbyszek If fesco approves it I can do the switch with current cryptsetup 2.0.6. There's configure switch for default format already. So we can test it very quickly. Anaconda already supports it, libblockdev is ready for the format as well.
@otaylor
I feel the the change proposal is lacking background on the stability status of LUKS2 - when was the feature added to the LUKS codebase?
It's been added in cryptsetup 2.0.0 (F28) as stated in change request. The cryptsetup 2.0.0 was released in December 2017. Systemd is able to unlock LUKS2 format since day 1.
What testing has been done?
There's full devel testsuite covering LUKS2 format completely shipped with cryptsetup sources.
is it being used anywhere in production?
New features are directly dependant on LUKS2 format. For example wrapped keys scheme for current s390x archs. All users of authenticated encryption have no other option than use LUKS2.
It also is missing any indication of what happens to existing installs
Without direct user intervention (cryptsetup convert command) all existing LUKS1 installations stay LUKS1. LUKS1 format will be fully supported but we won't add new features for it anymore.
Metadata Update from @churchyard: - Issue tagged with: meeting
This is now approved with 5 pluses. It was announced as part of the meeting, so l'll keep it tagged as such in case somebody would like to join the meeting and discuss something.
Metadata Update from @churchyard: - Issue tagged with: pending announcement
Metadata Update from @churchyard: - Issue untagged with: meeting
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/LWYHDYIZSMWZUSC5F6UAAN4OX44ZHYYX/
Metadata Update from @churchyard: - Issue untagged with: pending announcement - Issue close_status updated to: Accepted - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.