-
Notifications
You must be signed in to change notification settings - Fork 391
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cryptsetup 2.1 switches to LUKS2 by default #1099
Comments
Upstream GRUB bug: https://savannah.gnu.org/bugs/?55093 |
I think Calamares should implement your proposed workaround for now. |
@kkofler I don't think so :-) If you don't have grub2 with luks2 support in your Distribution then you should --with-default-luks-format=LUKS1 |
@abucodonosor: well, that is the wrong approach. We should make it possible to support luks2 for sure, however none of the key parts support that format yet. Especially grub. So CAL might be configurable and should default to luks1 for now. We can make this adjustable via config file. Just compiling cryptsetup for defaulting to luks1 might make sense, but if a distro is defaulting to luks2 we still have a problem when grub is chosen as the bootloader. |
Yes but your bug is in packaging logic. If you push luks with luks2 default but grub2 with luks1 default If any of your user decide to do some kind luks setup after that all will break down Quoting luks folks:
I agree with that part we can add a luksX option in some config file until grub2 Beacuse is not only about grub2 here , but about systend generators , initramfs hooks of any sort,
You mean with patched grub2 for luks2 key formats() ? .. Well we need , if we add luks2 key format(s) support to make it clear is:
and emit a 'big warning' when used. |
@abucodonosor: grub doesn't support luks2 yet. Other software might either. However, on Arch they use cryptsetup with luks2 as default. I compiled now a version defaulting to luks1 on Manjaro. I only want to have CAL configurable and default to luks1 to avoid issues until upstream managed to get all compatible. That's all. |
Fedora 30 will default to LUKS 2 in |
Uff and the point of having luks being then ?:) 'put your initrd into unencrypted /boot while you store your key there ' ? hmm ? |
Anaconda doesn't use keyfiles, you get prompted for the passphrase by Dracut rather than GRUB. (As I explained on IRC, this is what Calamares should also do if you do manual partitioning with unencrypted |
Actually, this can easily be solved by cherry-picking the first part of this patch. It isn't in a non-beta tagged version yet, which explains why everyone's having the issue. As it turns out, Calamares doesn't actually define LUKS2-specific partitions. It creates a partition with the |
To clarify, @abucodonosor, the workaround that you ruled out has already been implemented for two years now. ;) |
please avoid to highlight or CC'ing me. But lets clarify..
Thx |
I did just cherry-pick the commit (well, pulled it downstream from Debian, thanks @highvoltage!) You're misunderstanding what I have stated; in Calamares, when kpmcore is called, it creates filesystems with the type Easily solved. Just don't switch the kpmcore calls to LUKS2 until we have everything sorted. Issue closed. |
In debian I patched kpmcore to specify --luks1 when configuring the encryption containers. I believe the correct place to fix this is in kpmcore, not calamares. kpmcore should have an option to specify whether you want to configure luks1 or luks2, then you can have that as an option in calamares. |
no , In both not only kpmcore or calamares. While is fine kpmcore to have a API for both , calamares need implement Is not only about force LUKS1 or LUKS2 because that won't work with the code Also kpmcore is not the right place to force what calamares may need. |
@abucodonosor I think you may have misunderstood me. |
A LUKS1 container should only be made when the boot-files are in that particular container and the version of Grub installed is not able to handle LUKS2, that would be the best way to future-proof. Whenever Grub is able to handle LUKS2, this provision can be removed. If Calamares is going to make this decision, then the way different distros handle the situation is circumvented. |
And how do you propose we detect whether GRUB supports LUKS2? |
Probably by querying the version? |
Not possible. It can be a custom patch, snapshot or whatever. Or someone just doesn't want that support. |
Exactly, plus we also do not know what version of GRUB will support LUKS2 because there is no such version at this time. |
Do what you think is best, I prefer not to use Grub at all myself. |
Grub now supports LUKS2: https://git.savannah.gnu.org/cgit/grub.git/commit/?id=365e0cc3e7e44151c14dd29514c2f870b49f9755 So is it the case that a feature request/issue needs to be created to ask for Calamares to now use LUKS2 by default (assuming it was switched to LUKS1 at some point) and package with the new grub bootloader? |
It is not how is working. That commit exists in git and even it would exist on some released grub2 package we still cannot switch that now until distros ( mostly LTS ones ) move to newer grub2 packages. Also, I don't think we can switch that at all to LUKS2 for a longer time, but have a Luks2 module of some sort and use a configuration option to switch the code is used. |
I think we just need an option luks2: false which would be |
Be warned that even with current GRUB master, you still need a workaround CLI flag to GRUB master only supports LUKS2 with PBKDF2 as the PBKDF (the same PBKDF used by LUKS 1) (see [GRUB commit 365e0cc]):
but the default PBKDF for LUKS2 is actually |
Also note that forcing PBKDF2 actually nullifies one of the two purported advantages of LUKS2, so I am not convinced that it is worth jumping the gun on LUKS2 just now. IMHO, it makes more sense to wait for full GRUB support including Argon2i and to default to LUKS1 for now. |
KPMCore has been passing In addition, the related wish to support LUKS 2 as an option is implemented by #2047. Hence, closing this bug. |
Describe the bug
Currently you will hit issues when cryptsetup 2.1 is not set to use luks1 still as default. grub and other bootloaders still relay on luks1 for now.
To Reproduce
Steps to reproduce the behavior:
/boot
Expected behavior
When cryptsetup 2.1 is detected, we have to use
--type luks1
to explicitly use luks1 for/boot
encryption until grub might adopt luks2 support.Screenshots and Logs
Additional context
See also release notes from cryptsetup.
The text was updated successfully, but these errors were encountered: