From 8504e0d427f9741330401f9e0e5d703ba5c4a5d6 Mon Sep 17 00:00:00 2001
From: Johannes Meixner <jsmeix@suse.com>
Date: Tue, 23 Jun 2020 14:55:04 +0200
Subject: [PATCH] Update default.conf

Add "--type luks1" to the default LUKS_CRYPTSETUP_OPTIONS
to fix https://github.com/rear/rear/issues/2432
---
 usr/share/rear/conf/default.conf | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/usr/share/rear/conf/default.conf b/usr/share/rear/conf/default.conf
index 9ada92c3df..c51d99ebae 100644
--- a/usr/share/rear/conf/default.conf
+++ b/usr/share/rear/conf/default.conf
@@ -1641,11 +1641,19 @@ TIMESYNC_SOURCE=
 # and https://github.com/rear/rear/issues/1035 and https://github.com/rear/rear/pull/1469
 LANG_RECOVER=C
 
-# LUKS_CRYPTSETUP_OPTIONS contains additional options to cryptsetup which complement auto-detected options.
-# The default setting increases security beyond the level attained by compiled-in cryptsetup defaults.
-# On some systems, using the /dev/random random generator may result in possibly long delays.
-# In this case, you may set LUKS_CRYPTSETUP_OPTIONS="--iter-time 2000 --use-urandom" instead,
-# but using /dev/urandom instead of /dev/random will produce a low-quality master encryption key.
+# LUKS_CRYPTSETUP_OPTIONS contains additional options to cryptsetup
+# which complement auto-detected options and enforce certain settings.
+# Because LUKS2 is not (yet) supported by ReaR (cf. https://github.com/rear/rear/issues/2204)
+# the option '--type luks1' is needed to enforce the LUKS1 header format
+# because the default header format is LUKS1 with cryptsetup < 2.1.0
+# but LUKS2 with cryptsetup ≥ 2.1.0 (cf. https://github.com/rear/rear/issues/2432)
+# to ensure LUKS1 gets recreated as LUKS1 also with with newer cryptsetup versions.
+# The default settings '--iter-time 2000 --use-random' increases security
+# beyond the level attained by compiled-in cryptsetup defaults.
+# On some systems using the /dev/random random generator may result in possibly long delays
+# while generating the needed LUKS encryption keys during "rear recover".
+# In this case you may set LUKS_CRYPTSETUP_OPTIONS="--iter-time 2000 --use-urandom" instead
+# but using /dev/urandom instead of /dev/random results a low-quality master encryption key.
 # To add more additional options to the ones below specify them in your etc/rear/local.conf via
 # LUKS_CRYPTSETUP_OPTIONS+=" more additional options"
 # (the leading space is mandatory) for example LUKS_CRYPTSETUP_OPTIONS+=" --force-password"
@@ -1663,7 +1671,7 @@ LANG_RECOVER=C
 # when a specified LVM volume size does no longer fit into a smaller LUKS data payload area,
 # cf. https://github.com/rear/rear/issues/2389
 # For details, see the cryptsetup(8) manual page of your particular Linux distribution.
-LUKS_CRYPTSETUP_OPTIONS="--iter-time 2000 --use-random"
+LUKS_CRYPTSETUP_OPTIONS="--type luks1 --iter-time 2000 --use-random"
 
 ##
 # BACKUP=CDM (Rubrik CDM; Cloud Data Managemnt)