Security

Starting with Fedora 30, the /usr/bin/gpg path representing the main GPG implementation uses GnuPG 2 instead of version 1 used in earlier releases. This change brings Fedora in line with other major distributions, and provides users with consistent experience between distributions.

The default metadata encryption format for full disk encryption has been changed from LUKS1 to LUKS2. LUKS2 is an evolution of the standard that enables new features such as the Argon2 KDF for keyslots (alongside currently used PBKDF2), improved support for automatic activation, support for wrapped key ciphers (the paes cipher), and experimental authenticated encryption.

LUKS1 continues to be supported.

Note that older boot media (Fedora 27 and earlier) do not provide a version of cryptsetup that can unlock LUKS2-encrypted volumes. This means a Fedora 27 or earlier installation ISO can not be used to rescue a system with LUKS2 encryption.

A number of unsafe legacy functions have been removed from libcrypt, and a compatibility package is now provided for applications that rely on these functions. For details, see Distribution-wide Changes.