[pkg-cryptsetup-devel] Default LUKS on-disk format version (Was: Calamares-installer 64bit testing-live)

[Jonathan Carter]

Hey Guilhem

(thanks for all the details)

On 2019/04/06 17:11, Guilhem Moulin wrote:
> After all d-i doesn't support unlocking from GRUB yet [4].  Users who
> wish to do unlock from GRUB need to go through extra steps, and manually
> move /boot to the root partition, tweak the fstab(5), and possibly also
> crypttab(5) and the LUKS header if one doesn't want to enter the
> passphrase twice.  Given the bar is already rather high, I'd say that
> formatting with `luksFormat --type luks1` (or converting an existing
> volume to LUKS1 with `convert --type luks1`, possibly after converting
> keyslots to PBKDF2 with `luksChangeKey --pbkdf pbkdf2`) doesn't raise it
> much higher.  No need to ship a binary with different defaults, on the
> other hand; cryptsetup ≥2.1, which defaults to LUKS2 for `luksFormat`,
> will happily open LUKS1 partitions.  So it's possible to have /boot
> residing in a LUKS1 container — and have GRUB decrypt it — and other
> partitions (swap, /home, /, whatever) in LUKS2 volumes formatted with
> the default parameters.

Yeah that's exactly what happens when you install from Calamares from
Debian Live images. I ended up patching kpmcore (its partitioning
manager) to add 'type=luks1' when it shells out to cryptsetup. kpmcore
doesn't let you choose luks version at all so I'll talk to upstream
about that so that they can add an option.

Testing it locally with full disk encryption with grub on / works just
fine again, so sorry for the noise.

-Jonathan

-- 
  ⢀⣴⠾⠻⢶⣦⠀  Jonathan Carter (highvoltage) <jcc>
  ⣾⠁⢠⠒⠀⣿⡁  Debian Developer - https://wiki.debian.org/highvoltage
  ⢿⡄⠘⠷⠚⠋   https://debian.org | https://jonathancarter.org
  ⠈⠳⣄⠀⠀⠀⠀  Be Bold. Be brave. Debian has got your back.