New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LUKS2 unusable in current state #2129
Comments
Log files: |
grub doesn't support argon2id in many distros by default. That is the reason that luks2 isn't the default in Calamares. The distro needs to add support for luks2 before enabling it. For example:
|
Grub's restrictions are not involved if you do not encrypt /boot. There is no need for @dalto8 's recommendations because cryptsetup handles the encryption after grub has done its job. If I understood this patch #2047 correctly, Calamares should be able to setup LUKS2 for everything else if /boot stays unencrypted. Maybe there's still a bug in there? As an aside: If you want full disk encryption the optimal setup given unpatched grub2's restrictions would be: encrypt /boot with LUKS1/PBKDF2 and root with LUKS2/argon2id. But Calamares does not support this setup. This issue is about getting root (not boot) encryption to work with LUKS2. |
At that point, since Calamares puts a keyfile for the other encrypted partitions on the encrypted |
Calamares does not use a keyfile with unencrypted boot anymore. AFAIK that got patched. - Ah sorry I misunderstood you. You are right. Background: Luks1 is broken. Here is the explanation why: https://mjg59.dreamwidth.org/66429.html. Whatever happened in the case he's talking about doesn't matter. Luks1 can be cracked with todays computing power. If you don't care about secure encryption methods you might as well not encrypt at all. |
You write it: "with unencrypted |
Also, LUKS 1 is not broken if you use a completely random password. If you use dictionary words, then yes, it is faster to brute-force because the key derivation function is too cheap for today's standards. |
And if you want LUKS 2 support in Calamares, then you will need to get GRUB fixed (or get all major distributions to carry the patch downstream, but good luck with that). |
Yes but one very often recommended password method (xkcd) uses dictionary words. And from a distribution point of view we cannot be content with implementing something that is proven to be outdated. Users rely on it. Calamares is even explicitely warns the user about encryption without boot. If THAT is the level of security calamares aims at, then users can rightfully expect that it doesn't use outdated KDFs. It is indeed possible to do a setup with unpatched grub2 and LUKS2. The debian installer does it (only argon2i though) and the Ubuntu 23 installer does it too (with argon2id). Debians grub is definitely not patched, this proves that grub is not the culprit. So either the OPs config has a mistake or something is wrong with the way Calamares implements LUKS2. |
4 options Patch grub: Use a grub alternative: Use LUKS1 (with 100% CPU use before typing in the password) Or leave /boot unencrypted |
We are aware of the GRUB patches. The issue is that distros are not shipping them. As long as the patches do not make it into distros (which probably means they need to get into upstream GRUB first, since this does not seem to be a priority for distros to patch downstream), we cannot rely on their presence. |
Looks like unencrypted /boot now works correctly with Calamares and LUKS2. Thanks @abalfoort and calamares team for patching the issue. Everybody should "remind" grub upstream to - after about 5 years - finally merge those patches. Seriously. |
I followed this guide to setup LUKS2 for Calamares on Debian Bookworm: https://github.com/calamares/calamares/wiki/Deploy-LUKS
Calamares built from source (21-04-2023).
Configuration files:
modules_conf.zip
Version info:
Automatic partitioning (erase):
300M: /boot/efi: FAT32
10G: /: LUKS2
100%: /home: LUKS2
Creating a /boot partition for automatic partitioning results in a encrypted /boot partition and the same error as above.
Manual partitioning:
300M: /boot/efi: FAT32
300M: /boot: EXT4
10G: /: LUKS2
100%: /home: LUKS2
Boot partition not encrypted warning is shown. In this case (there currently no alternative) the warning should not be shown.
As I understand, Grub2 does not support LUKS2. You will need an unencrypted /boot partition. However, automatic partitioning does not create an unencrypted /boot partition when using LUKS2 for encryption. Manual partitioning should work, but crashes on grub-probe.
The text was updated successfully, but these errors were encountered: