Only Use Latest/Best Encryption

nurmagoz · July 24, 2025, 7:14pm

Since there shouldnt be no backward compatibility, only the best and most secure options available will be used, whether in TLS versions, cipher suites, OS-level encryption, or any other security-related components.

Patrick · July 26, 2025, 10:04am

Practical limitation: Subject to limitations of Kicksecure base operating system and the current release version being based on.

We can demand users to stay reasonably up-to-date.

Less confusing highly technical options means better usability, so whenever sensible yes. If we can reasonably make this decision, yes. For example,

we’re not going to add an encryption option for 3DES to our Calamares installer if someone requests that. Even if contributed, that won’t happen → Declined Feature Requests.
if we conclude to have identified the latest / best encryption algorithm and it’s a clear choice, we’ll use that as default.
if there are multiple great choices but no best can be identified, it’s being a controversial choice, and there are a lot users requesting both options, we will probably provide options.

It’s not easy to have a general policy that foresees everything. This will need to be decided on a by case basis depending on the component in question.

And performance may also play a role.

Do we use AES? Or a cascade AES-Twofish-Serpent by default? Some performance tests will be needed.
What if there was a cascade of 50 [1] (or you name it how many) algorithims or some super new algorithm on steriods that has a performance reduction of 99% - which in result would mean booting the system would now take several hours… We wouldn’t use that. Feasibility, practicality, performance considerations will remain to play a role.
- related: Kicksecure Stable Version User Experience

[1] hypothetical example

“AES-Twofish-Serpent-Camellia-CAST6-IDEA-RC6-MARS-Skipjack-Threefish-ARIA-Kuznyechik-SEED-LEA-Simon-Speck-HIGHT-XTEA-Anubis-FROG-MAGMA-RC5-HC-256-HC-128-TEA-Multi2-Noekeon-Loki97-CLEFIA-CryptoKnight-LOKI-HastyPudding-PANAMA-RedPike-SAFER+SHACAL-1-SHACAL-2-GOST-Streebog-MISTY1-Kasumi-KHAZAD-MMB-MMB2-Curupira-DEAL-CS-Cipher-E2-SHARK-ZERO-Trithemius-BLOWFISH”