On 18.04.2023 17:19, cagsm wrote:
On Tue, Apr 18, 2023 at 4:13 PM Andrei Borzenkov <arvidjaar@gmail.com> wrote:
leap 15.4, full disk encryption (FDE), luks I suppose. I am not an expert (TM). reading this recent article: <https://mjg59.dreamwidth.org/66429.html> comes up with the question if ones distro supports stuff beyond PBKDF2, e.g. argon2id If you are concerned, use separate /boot and encrypt / the way you like. Or use TPM to avoid this problem to start with.
wow cool thanks for the reply but this didnt help a bit? i use the
Well, if you were as concerned by this security problem as you sound, you certainly would look for ways to solve it, not to complained about SUSE.
stuff that simple opensuse 15.4 installer gave me. all on a single nvme with some uefi active laptop big brand. secureboot is activated but this laptop also boots with secureboot disabled. but uefi only no classic bios. now what? where does tpm come into play here and how does this help according to the article of shortcoming or weak pbkdf2 algo? they
With TPM there is no KDF, key is encrypted by TPM using (hopefully) random secret that never leaves TPM. Read comments for the blog post.
strongly advise for that argon stuff.
lsblk doesnt show separate boot i guess. it all went into one giant / partition.
but this didnt answer the question if leap 15.4 and the infrastructure already? uses? can use? this argon2id?
As long as you insist on "default installation with single partition and /boot part of /" it is not possible because grub2 does not support Argon (and still does not support it upstream). It is not rocket science to manually install on two partitions and convert root to LUKS2 with Argon. This conversion only needs to be done once.