[pkg-cryptsetup-devel] Default LUKS on-disk format version (Was: Calamares-installer 64bit testing-live)

[Guilhem Moulin]

Hi Jonathan,

On Sat, 06 Apr 2019 at 17:16:22 +0200, Jonathan Carter wrote:
> On 2019/04/06 17:11, Guilhem Moulin wrote:
>> After all d-i doesn't support unlocking from GRUB yet [4].  Users who
>> wish to do unlock from GRUB need to go through extra steps, and manually
>> move /boot to the root partition, tweak the fstab(5), and possibly also
>> crypttab(5) and the LUKS header if one doesn't want to enter the
>> passphrase twice.  Given the bar is already rather high, I'd say that
>> formatting with `luksFormat --type luks1` (or converting an existing
>> volume to LUKS1 with `convert --type luks1`, possibly after converting
>> keyslots to PBKDF2 with `luksChangeKey --pbkdf pbkdf2`) doesn't raise it
>> much higher.  No need to ship a binary with different defaults, on the
>> other hand; cryptsetup ≥2.1, which defaults to LUKS2 for `luksFormat`,
>> will happily open LUKS1 partitions.  So it's possible to have /boot
>> residing in a LUKS1 container — and have GRUB decrypt it — and other
>> partitions (swap, /home, /, whatever) in LUKS2 volumes formatted with
>> the default parameters.
> 
> Yeah that's exactly what happens when you install from Calamares from
> Debian Live images. I ended up patching kpmcore (its partitioning
> manager) to add 'type=luks1' when it shells out to cryptsetup. kpmcore
> doesn't let you choose luks version at all so I'll talk to upstream
> about that so that they can add an option.

I guess you're not using d-i in Calamares, but you might be interested
to subscribe to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927165
nonetheless.

Cheers,
-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20190416/f548a64e/attachment.sig>