24.Key Code

Fedora Workstation developers and those involved at Red Hat have been working to improve the state of disk encryption on Fedora with a end-goal of possibly making the installer encrypt systems by default.

While many Linux distributions allow for full-disk encryption these days, not many distributions enable it by default (Pop!_OS being among the rare that actively encourage it) while it looks like in the future Fedora Workstation could default to having its installer encrypt the disk. 

Owen Taylor of Red Hat laid out a mailing list post and Discourse thread today around the future of encryption with Fedora. With the encryption planning is also to have the encryption key stored in the system's Trusted Platform Module (TPM) and to also sign the bootloader/kernel/initrd with the TPM signatures. This work in turn is dependent upon the ongoing Unified Kernel Image support with Fedora and upstreams like systemd.

The Fedora Workstation plan would be to use the upcoming Btrfs fscrypt support for encrypting both the system and home directories.