[pkg-cryptsetup-devel] Bug#927165: debian-installer: improve support for LUKS
Guilhem Moulin
guilhem at debian.org
Mon Apr 15 21:35:33 BST 2019
Hi Cyril,
[crytsetup team member here]
On Mon, 15 Apr 2019 at 21:40:35 +0200, Cyril Brulebois wrote:
> There are also some other highlights in this changelog entry, regarding
> key sizes, and some update to partman-crypto might be needed…
GRUB stuff aside? AFAICT not, but FWIW we poked debian-boot to
highlight the changes when 2.1.0 entered unstable two months ago:
https://lists.debian.org/debian-boot/2019/02/msg00100.html
Yup that was quite late in the release cycle, sorry for that.
Formatting new devices to LUKS2 by default was discussed since the
summer, and 2.1 was originally planned for late 2018. In the end it was
released 2 months later, but since we had this discussion before we
thought we had d-i's blessing here regarding LUKS2, and uploaded to sid
just before the freeze:
https://salsa.debian.org/installer-team/partman-crypto/merge_requests/1
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919725
> One could argue that cryptodisk support has never been supported by d-i
> anyway,
Yup, and I suppose that's why I overlooked this in my mail to
debian-boot :-P Jonathan Carter had a similar report last week
https://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/2019-April/008196.html
Should have poked debian-boot immediately, apologies for not doing so
:-( Until GRUB unlocking is supported in d-i [#849400] I'd say it's
enough to document the change and make the LUKS version configurable
(from an expert prompt or preseed.cfg).
> And for those who would wonder: It seems that LUKS2 brings some
> interesting features on the security front, so it doesn't seem really
> reasonable to stick to LUKS1 unconditionally.
Agreed, for the reasons mentioned in my reply to Jonathan:
https://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/2019-April/008199.html
(first paragraph).
Cheers,
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20190415/1a347b02/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list