[pkg-cryptsetup-devel] Bug#927165: debian-installer: improve support for LUKS

Guilhem Moulin guilhem at debian.org
Mon Apr 15 23:21:27 BST 2019


On Mon, 15 Apr 2019 at 23:24:19 +0200, Cyril Brulebois wrote:
> Guilhem Moulin <guilhem at debian.org> (2019-04-15):
>> On Mon, 15 Apr 2019 at 21:40:35 +0200, Cyril Brulebois wrote:
>>> There are also some other highlights in this changelog entry, regarding
>>> key sizes, and some update to partman-crypto might be needed…
>> 
>> GRUB stuff aside?
> 
> My point above was that there are a number of “keysize” occurrences in
> partman-crypto[1] that might need to be adjusted for the new sizes in
> cryptsetup.

I'm not really familiar with partman-crypto so please take that with a
grain of salt, but at first glance the key size is passed explicitly

    /sbin/cryptsetup -c $cipher-$iv -h $hash -s $size luksFormat $device $pass

hence isn't affected by the new *default*.  AFAIK the keysize is still
256 in non XTS-modes, and the double in XTS mode (so AES256 is used).
 
> And while I cannot personally guarantee I'm going to spot all mails that
> need action/reaction on the mailing list, something like a mention of
> this GRUB limitation[3] (apparently documented since late 2018) might
> have peaked somebody's interest back then and could have triggered some
> feedback from someone else…

Agreed, that wasn't a deliberate omission of course.  It simply didn't
cross my mind until I read the message from Jonathan :-(  (Ironically I
have some devices with LUKS unlocking from GRUB, but haven't deployed
new ones this year…)

> Time for some rest here. I've added the “LUKS version configurability”
> topic to my list of urgent d-i issues, and I'll try to get that done
> soon.

Thanks, Cyril!  And sorry for the extra work…  I might be able to give a
hand, too.

-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20190416/56495a47/attachment.sig>


More information about the pkg-cryptsetup-devel mailing list