Why does the installer still use LUKS1 by default?
Hello, Why does the OpenSUSE installer still use LUKS1 with decryption handled by grub by default instead of using LUKS2 and handing off the decryption to systemd-cryptsetup? Thank you. Regards, Zaper
On 15.07.2023 07:58, zaper@dmc.chat wrote:
Hello, Why does the OpenSUSE installer still use LUKS1 with decryption handled by grub by default instead of using LUKS2 and handing off the decryption to systemd-cryptsetup?
Because to support rollback grub2 must be able to read encrypted root and grub2 did not support LUKS2 for a long time and even now Argon2 is not supported.
By rollback, do you mean the snapper btrfs backups? On 2023-07-15 05:05, Andrei Borzenkov wrote:
On 15.07.2023 07:58, zaper@dmc.chat wrote:
Hello, Why does the OpenSUSE installer still use LUKS1 with decryption handled by grub by default instead of using LUKS2 and handing off the decryption to systemd-cryptsetup?
Because to support rollback grub2 must be able to read encrypted root and grub2 did not support LUKS2 for a long time and even now Argon2 is not supported.
On 15.07.2023 08:15, zaper@dmc.chat wrote:
By rollback, do you mean the snapper btrfs backups?
I mean btrfs snapshots. Do not top post.
On 2023-07-15 05:05, Andrei Borzenkov wrote:
On 15.07.2023 07:58, zaper@dmc.chat wrote:
Hello, Why does the OpenSUSE installer still use LUKS1 with decryption handled by grub by default instead of using LUKS2 and handing off the decryption to systemd-cryptsetup?
Because to support rollback grub2 must be able to read encrypted root and grub2 did not support LUKS2 for a long time and even now Argon2 is not supported.
On 2023-07-15 07:33, Andrei Borzenkov wrote:
On 15.07.2023 08:15, zaper@dmc.chat wrote:
On 2023-07-15 05:05, Andrei Borzenkov wrote:
On 15.07.2023 07:58, zaper@dmc.chat wrote:
Hello,
Why does the OpenSUSE installer still use LUKS1 with decryption handled by grub by default instead of using LUKS2 and handing off the decryption to systemd-cryptsetup?
Because to support rollback grub2 must be able to read encrypted root and grub2 did not support LUKS2 for a long time and even now Argon2 is not supported.
By rollback, do you mean the snapper btrfs backups?
I mean btrfs snapshots.
Do not top post.
Undone top post for him ;-) Ok, then, LUKS2 could be used, I mean supported, on those machines that use ext4? So I don't get LUKS2 because of the "mania" to use btrfs? GRRR :-p -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Hi, On Sat, 2023-07-15 at 13:49 +0200, Carlos E. R. wrote:
On 2023-07-15 07:33, Andrei Borzenkov wrote:
On 15.07.2023 08:15, zaper@dmc.chat wrote:
On 2023-07-15 05:05, Andrei Borzenkov wrote:
On 15.07.2023 07:58, zaper@dmc.chat wrote:
Hello,
Why does the OpenSUSE installer still use LUKS1 with decryption handled by grub by default instead of using LUKS2 and handing off the decryption to systemd-cryptsetup?
Because to support rollback grub2 must be able to read encrypted root and grub2 did not support LUKS2 for a long time and even now Argon2 is not supported.
>> By rollback, do you mean the snapper btrfs backups? > > I mean btrfs snapshots. > > Do not top post.
Undone top post for him ;-)
Ok, then, LUKS2 could be used, I mean supported, on those machines that use ext4? So I don't get LUKS2 because of the "mania" to use btrfs?
GRRR :-p
After ALP will use LUKS2, including optional support for unattended decryption via TPM2, by default, Factory is also already capable of using it on a package-level, with PBKDF2 for now (Argon2 enablement is also under development, but needs a bit more time). Unfortunately, the focus for the Installer-enablement was on Agama, therefore the YaST-part is not yet ready, but there is already an open feature-request[1]. Gary Lin (added to CC) will also provide some documentation how to manually migrate from LUKS1 to LUKS2, if you want to try it earlier or to migrate old systems. Last but not least, while we already had some improvements to hand over the passphrase from grub to the initrd to unlock root and avoid entering the password twice, there was still an issue that users had to type it twice if SWAP is also encrypted (even with the same password). For those cases, Gary also, just recently, found a solution how we can securely pass over the passphrase to retry it for other partitions. While I can't give an exact timeline yet, please stay prepared that there should be some more detailed news soon. ;) Best, Benjamin [1] https://github.com/yast/yast-installation/issues/1088 -- Benjamin Brunner Engineering Manager System Boot and Init SUSE Software Solutions Germany GmbH
participants (4)
-
Andrei Borzenkov -
Benjamin Brunner -
Carlos E. R. -
zaper@dmc.chat