[pkg-cryptsetup-devel] Default LUKS on-disk format version (Was: Calamares-installer 64bit testing-live)

Guilhem Moulin guilhem at debian.org
Sat Apr 6 16:11:48 BST 2019 

Hi Jonathan,

On Sat, 06 Apr 2019 at 12:06:14 +0200, Jonathan Carter wrote:
> Would you consider adding the "--with-default-luks-format=LUKS1" build
> flag so that users who use full disk encryption with GRUB can still boot?

The new LUKS2 on-disk format adds nice capabilities like unattended
unlocking via kernel keyring tokens, offloading the masterkey to the
kernel keyring (thus preventing access from userspace), more secure
(memory-hard) KDF, backup headers, custom sector size (`--sector-size
4096` is faster on 4k sectors devices), persistent flags, experimental
integrity protection, etc.

Defaulting to LUKS2 was requested by d-i [0], by some Debian users [1]
and by derivative like TAILS [2].  I mailed debian-boot [3] when 2.1.0-1
entered sid to flag the change.  The lacks of LUKS2 support in GRUB (and
possibly other bootloaders?) isn't something I foresaw, but I think our
focus for Buster should be to have majority of new installations (ie,
via d-i using the default LVM on top of LUKS partitioning, with a
separate cleartext /boot partition) benefit from LUKS2's improvements.

After all d-i doesn't support unlocking from GRUB yet [4].  Users who
wish to do unlock from GRUB need to go through extra steps, and manually
move /boot to the root partition, tweak the fstab(5), and possibly also
crypttab(5) and the LUKS header if one doesn't want to enter the
passphrase twice.  Given the bar is already rather high, I'd say that
formatting with `luksFormat --type luks1` (or converting an existing
volume to LUKS1 with `convert --type luks1`, possibly after converting
keyslots to PBKDF2 with `luksChangeKey --pbkdf pbkdf2`) doesn't raise it
much higher.  No need to ship a binary with different defaults, on the
other hand; cryptsetup ≥2.1, which defaults to LUKS2 for `luksFormat`,
will happily open LUKS1 partitions.  So it's possible to have /boot
residing in a LUKS1 container — and have GRUB decrypt it — and other
partitions (swap, /home, /, whatever) in LUKS2 volumes formatted with
the default parameters.

Hope you get well soon! :-)
Cheers,
-- 
Guilhem.

[0] https://salsa.debian.org/installer-team/partman-crypto/merge_requests/1
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919725
[2] https://redmine.tails.boum.org/code/issues/15450
[3] https://lists.debian.org/debian-boot/2019/02/msg00100.html
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849400
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20190406/9439adf5/attachment.sig>

More information about the pkg-cryptsetup-devel mailing list