LUKS2 unusable in current state

[abalfoort]

I followed this guide to setup LUKS2 for Calamares on Debian Bookworm: https://github.com/calamares/calamares/wiki/Deploy-LUKS

Calamares built from source (21-04-2023).

Configuration files:
modules_conf.zip

Version info:

$ apt policy grub-efi-amd64 cryptsetup
grub-efi-amd64:
  Installed: 2.06-8
  Candidate: 2.06-8
  Version table:
 *** 2.06-8 500
        500 http://deb.debian.org/debian testing/main amd64 Packages
        500 file:/run/live/medium testing/main amd64 Packages
        100 /var/lib/dpkg/status
cryptsetup:
  Installed: 2:2.6.1-3~deb12u1
  Candidate: 2:2.6.1-3~deb12u1
  Version table:
 *** 2:2.6.1-3~deb12u1 500
        500 http://deb.debian.org/debian testing/main amd64 Packages
        500 file:/run/live/medium testing/main amd64 Packages
        100 /var/lib/dpkg/status

Automatic partitioning (erase):
300M: /boot/efi: FAT32
10G: /: LUKS2
100%: /home: LUKS2

    Starting job "bootloader" ( 39 / 41 ) 
2023-04-21 - 06:20:10 [6]: virtual Calamares::JobResult Calamares::PythonJob::exec()
    Job file "/usr/lib/x86_64-linux-gnu/calamares/modules/bootloader/main.py" 
2023-04-21 - 06:20:10 [6]: [PYTHON JOB]: Found gettext "en_US" in "/usr/share/locale/en_US" 
2023-04-21 - 06:20:10 [6]:     .. Job description from pretty_name "bootloader" = "Install bootloader." 
2023-04-21 - 06:20:10 [6]: [PYTHON JOB]: "Bootloader: grub (efi)" 
2023-04-21 - 06:20:10 [6]:     .. Running ("grub-install", "--target=x86_64-efi", "--efi-directory=/boot/efi", "--bootloader-id=debian", "--force") 
2023-04-21 - 06:20:11 [6]:     .. Target cmd: ("grub-install", "--target=x86_64-efi", "--efi-directory=/boot/efi", "--bootloader-id=debian", "--force") Exit code: 1 output:
 Installing for x86_64-efi platform.
grub-install: error: cannot find a device for /boot/grub (is /dev mounted?).

Creating a /boot partition for automatic partitioning results in a encrypted /boot partition and the same error as above.

Manual partitioning:
300M: /boot/efi: FAT32
300M: /boot: EXT4
10G: /: LUKS2
100%: /home: LUKS2

Boot partition not encrypted warning is shown. In this case (there currently no alternative) the warning should not be shown.

    Starting job "bootloader" ( 40 / 42 ) 
2023-04-21 - 06:49:13 [6]: virtual Calamares::JobResult Calamares::PythonJob::exec()
    Job file "/usr/lib/x86_64-linux-gnu/calamares/modules/bootloader/main.py" 
2023-04-21 - 06:49:13 [6]: [PYTHON JOB]: Found gettext "en_US" in "/usr/share/locale/en_US" 
2023-04-21 - 06:49:13 [6]:     .. Job description from pretty_name "bootloader" = "Install bootloader." 
2023-04-21 - 06:49:13 [6]: [PYTHON JOB]: "Bootloader: grub (efi)" 
2023-04-21 - 06:49:13 [6]:     .. Running ("grub-install", "--target=x86_64-efi", "--efi-directory=/boot/efi", "--bootloader-id=debian", "--force") 
2023-04-21 - 06:49:14 [6]:     .. Finished. Exit code: 0 output:
 Installing for x86_64-efi platform.
Installation finished. No error reported.
2023-04-21 - 06:49:14 [6]: [PYTHON JOB]: "UEFI Fallback: True" 
2023-04-21 - 06:49:14 [6]: [PYTHON JOB]: "  .. installing 'bootx64.efi' fallback firmware" 
2023-04-21 - 06:49:14 [6]:     .. Running ("grub-mkconfig", "-o", "/boot/grub/grub.cfg") 
2023-04-21 - 06:49:14 [6]:     .. Target cmd: ("grub-mkconfig", "-o", "/boot/grub/grub.cfg") Exit code: 1 output:
 /usr/sbin/grub-probe: error: cannot find a device for / (is /dev mounted?).
2023-04-21 - 06:49:14 [2]: WARNING: [PYTHON JOB]: "Command 'grub-mkconfig -o /boot/grub/grub.cfg' returned non-zero exit status 1." 
2023-04-21 - 06:49:14 [6]: [PYTHON JOB]: "stdout:/usr/sbin/grub-probe: error: cannot find a device for / (is /dev mounted?)." 
2023-04-21 - 06:49:14 [6]: [PYTHON JOB]: "stderr:None" 

As I understand, Grub2 does not support LUKS2. You will need an unencrypted /boot partition. However, automatic partitioning does not create an unencrypted /boot partition when using LUKS2 for encryption. Manual partitioning should work, but crashes on grub-probe.

[abalfoort]

Log files:
session_efi_auto.log
session_efi_man.log

[dalto8]

grub doesn't support argon2id in many distros by default. That is the reason that luks2 isn't the default in Calamares.

The distro needs to add support for luks2 before enabling it. For example:

• Don't use grub
• Ship a version of grub patched with argon2id support
• If the distro supports it, you can try mounting the ESP at /boot although I haven't tested that

[ilu33]

Grub's restrictions are not involved if you do not encrypt /boot. There is no need for @dalto8 's recommendations because cryptsetup handles the encryption after grub has done its job.

If I understood this patch #2047 correctly, Calamares should be able to setup LUKS2 for everything else if /boot stays unencrypted. Maybe there's still a bug in there?

As an aside: If you want full disk encryption the optimal setup given unpatched grub2's restrictions would be: encrypt /boot with LUKS1/PBKDF2 and root with LUKS2/argon2id. But Calamares does not support this setup. This issue is about getting root (not boot) encryption to work with LUKS2.

[kkofler]

At that point, since Calamares puts a keyfile for the other encrypted partitions on the encrypted /boot (so that you only have to unlock the system once, through GRUB), you may as well encrypt everything with LUKS 1. The mixed setup does not provide any added security.

[ilu33]

Calamares does not use a keyfile with unencrypted boot anymore. AFAIK that got patched. - Ah sorry I misunderstood you. You are right.

Background: Luks1 is broken. Here is the explanation why: https://mjg59.dreamwidth.org/66429.html. Whatever happened in the case he's talking about doesn't matter. Luks1 can be cracked with todays computing power. If you don't care about secure encryption methods you might as well not encrypt at all.

[kkofler]

Calamares does not use a keyfile with unencrypted boot anymore. AFAIK that got patched.

You write it: "with unencrypted /boot". Your proposal was to use LUKS 1 encryption for /boot, which is encrypted /boot.

[kkofler]

Also, LUKS 1 is not broken if you use a completely random password. If you use dictionary words, then yes, it is faster to brute-force because the key derivation function is too cheap for today's standards.

[kkofler]

And if you want LUKS 2 support in Calamares, then you will need to get GRUB fixed (or get all major distributions to carry the patch downstream, but good luck with that).

[ilu33]

Yes but one very often recommended password method (xkcd) uses dictionary words. And from a distribution point of view we cannot be content with implementing something that is proven to be outdated. Users rely on it. Calamares is even explicitely warns the user about encryption without boot. If THAT is the level of security calamares aims at, then users can rightfully expect that it doesn't use outdated KDFs.

It is indeed possible to do a setup with unpatched grub2 and LUKS2. The debian installer does it (only argon2i though) and the Ubuntu 23 installer does it too (with argon2id). Debians grub is definitely not patched, this proves that grub is not the culprit. So either the OPs config has a mistake or something is wrong with the way Calamares implements LUKS2.

[Dmole]

4 options

Patch grub:
https://mdleom.com/blog/2022/11/27/grub-luks2-argon2/

Use a grub alternative:
https://alternativeto.net/software/grub/?license=opensource

Use LUKS1 (with 100% CPU use before typing in the password)

Or leave /boot unencrypted

[kkofler]

We are aware of the GRUB patches. The issue is that distros are not shipping them. As long as the patches do not make it into distros (which probably means they need to get into upstream GRUB first, since this does not seem to be a priority for distros to patch downstream), we cannot rely on their presence.

[ilu33]

Looks like unencrypted /boot now works correctly with Calamares and LUKS2. Thanks @abalfoort and calamares team for patching the issue.

Everybody should "remind" grub upstream to - after about 5 years - finally merge those patches. Seriously.