Security
GnuPG 2 as the default GPG implementation
Starting with Fedora 30, the /usr/bin/gpg
path representing the main GPG implementation uses GnuPG 2 instead of version 1 used in earlier releases.
This change brings Fedora in line with other major distributions, and provides users with consistent experience between distributions.
Cryptsetup metadata format changed to LUKS2
The default metadata encryption format for full disk encryption has been changed from LUKS1 to LUKS2.
LUKS2 is an evolution of the standard that enables new features such as the Argon2 KDF for keyslots (alongside currently used PBKDF2), improved support for automatic activation, support for wrapped key ciphers (the paes
cipher), and experimental authenticated encryption.
LUKS1 continues to be supported.
Note that older boot media (Fedora 27 and earlier) do not provide a version of cryptsetup
that can unlock LUKS2-encrypted volumes.
This means a Fedora 27 or earlier installation ISO can not be used to rescue a system with LUKS2 encryption.
Changes to libcrypt
A number of unsafe legacy functions have been removed from libcrypt
, and a compatibility package is now provided for applications that rely on these functions.
For details, see Distribution-wide Changes.
Want to help? Learn how to contribute to Fedora Docs ›