openSUSE Aeon has announced plans to introduce comprehensive full disk encryption (FDE) by default, improving the security of the Linux distro.

Aeon is openSUSE’s “just works” Linux distro based on openSUSE Tumbleweed. Aeon is designed to simplify the process of running and administering Linux.

Aeon uses transactional updates “to provide atomic updates utilising the power of btrfs snapshots. Your system is updated inside a new snapshot leaving your current system unaffected.” As a result of this approach, updates are downloaded and applied in the background without impacting the current system until reboot, at which point the updated system is active. If an update fails for any reason, the updated “snapshot” is discarded and the system continues running.

Continuing its approach of providing a “just works” experience, Aeon’s developers are introducing FDE by default to provide comprehensive security.

Full Disk Encryption is planned to be introduced in the forthcoming release candidate of the Aeon Desktop to enhance data security for its users. The feature is expected to be included in the upcoming Release Candidate 3 (RC3).

Full Disk Encryption is designed to protect data in cases of device loss, theft or unauthorized booting into an alternative operating system. Depending on the hardware configuration of a system, Aeon’s encryption will be set up in one of two modes: Default or Fallback.

The developers outline the Default Mode for FDE’s implementation:

The Default Mode is the preferred method of encryption provided the system has the required hardware. This mode utilizes the Trusted Platform Module(TPM) 2.0 chipset with PolicyAuthorizeNV support (TPM 2.0 version 1.38 or newer). In this mode, Aeon Desktop measures several aspects of the system’s integrity. These including:

• UEFI Firmware
• Secure Boot state (enabled or disabled)
• Partition Table
• Boot loader and drivers
• Kernel and initrd (including kernel command line parameters)

These measurements are stored in the system’s TPM. During startup, the current state is compared with the stored measurements. If these match, the system boots normally. If discrepancies are found, users are prompted to enter a Recovery Key provided during installation. This safeguard ensures that unauthorized changes or tampering attempts are flagged.

Fallback Mode exists for computers that don’t support TPM, requiring the user to enter a password on boot (not the password to log in, but the password that is required immediately on boot to unlock the disk). The developers address concerns that the Default Mode’s TPM implementation is less secure than manually entering a password:

Contrary to initial concerns, Default Mode is not less secure than Fallback Mode despite not requiring a passphrase at startup. The strong integrity checks in Default Mode protect against attacks that could bypass normal authentication methods. For example, it can detect changes to the kernel command line that could otherwise allow unauthorized access. Furthermore, it safeguards against modifications to initrd thereby preventing potential passphrase capture in Fallback Mode.

FDE is available on most Linux distros, and all of the major ones. Unfortunately, there are very few that make FDE the default option, with Pop!_OS being a notable exception. Making comprehensive FDE the default for openSUSE Aeon is a good move, hopefully one more distros will embrace.