Why does the installer still use LUKS1 by default?
Hello, Why does the OpenSUSE installer still use LUKS1 with decryption handled by grub by default instead of using LUKS2 and handing off the decryption to systemd-cryptsetup? Thank you. Regards, Zaper
On 2023-07-15 07:33, Andrei Borzenkov wrote:
Undone top post for him ;-) Ok, then, LUKS2 could be used, I mean supported, on those machines that use ext4? So I don't get LUKS2 because of the "mania" to use btrfs? GRRR :-p -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Hi, On Sat, 2023-07-15 at 13:49 +0200, Carlos E. R. wrote:
After ALP will use LUKS2, including optional support for unattended decryption via TPM2, by default, Factory is also already capable of using it on a package-level, with PBKDF2 for now (Argon2 enablement is also under development, but needs a bit more time). Unfortunately, the focus for the Installer-enablement was on Agama, therefore the YaST-part is not yet ready, but there is already an open feature-request[1]. Gary Lin (added to CC) will also provide some documentation how to manually migrate from LUKS1 to LUKS2, if you want to try it earlier or to migrate old systems. Last but not least, while we already had some improvements to hand over the passphrase from grub to the initrd to unlock root and avoid entering the password twice, there was still an issue that users had to type it twice if SWAP is also encrypted (even with the same password). For those cases, Gary also, just recently, found a solution how we can securely pass over the passphrase to retry it for other partitions. While I can't give an exact timeline yet, please stay prepared that there should be some more detailed news soon. ;) Best, Benjamin [1] https://github.com/yast/yast-installation/issues/1088 -- Benjamin Brunner Engineering Manager System Boot and Init SUSE Software Solutions Germany GmbH
participants (4)
-
Andrei Borzenkov
-
Benjamin Brunner
-
Carlos E. R.
-
zaper@dmc.chat