Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add "--type luks1" to the default LUKS_CRYPTSETUP_OPTIONS #2437

Merged
merged 1 commit into from
Jun 30, 2020
Merged

Add "--type luks1" to the default LUKS_CRYPTSETUP_OPTIONS #2437

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
20 changes: 14 additions & 6 deletions usr/share/rear/conf/default.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1641,11 +1641,19 @@ TIMESYNC_SOURCE=
# and https://github.com/rear/rear/issues/1035 and https://github.com/rear/rear/pull/1469
LANG_RECOVER=C

# LUKS_CRYPTSETUP_OPTIONS contains additional options to cryptsetup which complement auto-detected options.
# The default setting increases security beyond the level attained by compiled-in cryptsetup defaults.
# On some systems, using the /dev/random random generator may result in possibly long delays.
# In this case, you may set LUKS_CRYPTSETUP_OPTIONS="--iter-time 2000 --use-urandom" instead,
# but using /dev/urandom instead of /dev/random will produce a low-quality master encryption key.
# LUKS_CRYPTSETUP_OPTIONS contains additional options to cryptsetup
# which complement auto-detected options and enforce certain settings.
# Because LUKS2 is not (yet) supported by ReaR (cf. https://github.com/rear/rear/issues/2204)
# the option '--type luks1' is needed to enforce the LUKS1 header format
# because the default header format is LUKS1 with cryptsetup < 2.1.0
# but LUKS2 with cryptsetup ≥ 2.1.0 (cf. https://github.com/rear/rear/issues/2432)
# to ensure LUKS1 gets recreated as LUKS1 also with with newer cryptsetup versions.
# The default settings '--iter-time 2000 --use-random' increases security
# beyond the level attained by compiled-in cryptsetup defaults.
# On some systems using the /dev/random random generator may result in possibly long delays
# while generating the needed LUKS encryption keys during "rear recover".
# In this case you may set LUKS_CRYPTSETUP_OPTIONS="--iter-time 2000 --use-urandom" instead
# but using /dev/urandom instead of /dev/random results a low-quality master encryption key.
# To add more additional options to the ones below specify them in your etc/rear/local.conf via
# LUKS_CRYPTSETUP_OPTIONS+=" more additional options"
# (the leading space is mandatory) for example LUKS_CRYPTSETUP_OPTIONS+=" --force-password"
Expand All @@ -1663,7 +1671,7 @@ LANG_RECOVER=C
# when a specified LVM volume size does no longer fit into a smaller LUKS data payload area,
# cf. https://github.com/rear/rear/issues/2389
# For details, see the cryptsetup(8) manual page of your particular Linux distribution.
LUKS_CRYPTSETUP_OPTIONS="--iter-time 2000 --use-random"
LUKS_CRYPTSETUP_OPTIONS="--type luks1 --iter-time 2000 --use-random"

##
# BACKUP=CDM (Rubrik CDM; Cloud Data Managemnt)
Expand Down