The openSUSE devs have released the latest version of Aeon, their “just works” Linux distro, bringing it to RC3 status and providing Full Disk Encryption (FDE) by default.
Aeon’s developers announced in mid-July that they planned on making FDE the default moving forward. While the vast majority of Linux distros offer FDE, very few enable it by default, despite the security it provides. openSUSE has a long history of being one of the most security-oriented distros on the market, and Aeon’s devs wanted to take that to the next step by making FDE the default option.
In a post on Reddit, the devs announced the release of Aeon RC3:
The biggest change with this release is the introduction of Full Disk Encryption by default, configured automatically as part of the installation
Depending on your hardware, Aeon will automatically configure Full Disk Encryption in one of two modes
- Default Mode with “Measured Boot” – strong verification of bootloader, initrd and kernel before automatically decrypting your system
- Fallback Mode with no verification of boot components and requiring a Passphrase on boot to decrypt your system
For those leery of relying on the default mode, the devs previously outlined why it is secure, debunking myths regarding TPM in the process:
The Default Mode is the preferred method of encryption provided the system has the required hardware. This mode utilizes the Trusted Platform Module(TPM) 2.0 chipset with PolicyAuthorizeNV support (TPM 2.0 version 1.38 or newer). In this mode, Aeon Desktop measures several aspects of the system’s integrity. These including:
- UEFI Firmware
- Secure Boot state (enabled or disabled)
- Partition Table
- Boot loader and drivers
- Kernel and initrd (including kernel command line parameters)
These measurements are stored in the system’s TPM. During startup, the current state is compared with the stored measurements. If these match, the system boots normally. If discrepancies are found, users are prompted to enter a Recovery Key provided during installation. This safeguard ensures that unauthorized changes or tampering attempts are flagged.
The devs do say that existing users will need to reinstall their system to take advantage of the new features.
RC3 is expected to be the last release candidate before a 1.0 release.