Support, leap 15.4, full disk encryption (FDE), luks I suppose. I am not an expert (TM). reading this recent article: <https://mjg59.dreamwidth.org/66429.html> comes up with the question if ones distro supports stuff beyond PBKDF2, e.g. argon2id anyone? thanks for keeping opensuse utmost secure and safe.
On Tue, Apr 18, 2023 at 4:59 PM cagsm <cumandgets0mem00f@gmail.com> wrote:
Support,
leap 15.4, full disk encryption (FDE), luks I suppose. I am not an expert (TM).
reading this recent article: <https://mjg59.dreamwidth.org/66429.html>
comes up with the question if ones distro supports stuff beyond PBKDF2, e.g. argon2id
If you are concerned, use separate /boot and encrypt / the way you like. Or use TPM to avoid this problem to start with.
anyone? thanks for keeping opensuse utmost secure and safe.
On Tue, Apr 18, 2023 at 4:13 PM Andrei Borzenkov <arvidjaar@gmail.com> wrote:
leap 15.4, full disk encryption (FDE), luks I suppose. I am not an expert (TM). reading this recent article: <https://mjg59.dreamwidth.org/66429.html> comes up with the question if ones distro supports stuff beyond PBKDF2, e.g. argon2id If you are concerned, use separate /boot and encrypt / the way you like. Or use TPM to avoid this problem to start with.
wow cool thanks for the reply but this didnt help a bit? i use the stuff that simple opensuse 15.4 installer gave me. all on a single nvme with some uefi active laptop big brand. secureboot is activated but this laptop also boots with secureboot disabled. but uefi only no classic bios. now what? where does tpm come into play here and how does this help according to the article of shortcoming or weak pbkdf2 algo? they strongly advise for that argon stuff. lsblk doesnt show separate boot i guess. it all went into one giant / partition. but this didnt answer the question if leap 15.4 and the infrastructure already? uses? can use? this argon2id? ty
On Tue, Apr 18, 2023 at 4:19 PM cagsm <cumandgets0mem00f@gmail.com> wrote:
On Tue, Apr 18, 2023 at 4:13 PM Andrei Borzenkov <arvidjaar@gmail.com> wrote:
leap 15.4, full disk encryption (FDE), luks I suppose. I am not an expert (TM). reading this recent article: <https://mjg59.dreamwidth.org/66429.html> comes up with the question if ones distro supports stuff beyond PBKDF2, e.g. argon2id If you are concerned, use separate /boot and encrypt / the way you like. Or use TPM to avoid this problem to start with. wow cool thanks for the reply but this didnt help a bit? i use the stuff that simple opensuse 15.4 installer gave me. all on a single nvme with some uefi active laptop big brand. secureboot is activated but this laptop also boots with secureboot disabled. but uefi only no classic bios. now what? where does tpm come into play here and how does this help according to the article of shortcoming or weak pbkdf2 algo? they strongly advise for that argon stuff. lsblk doesnt show separate boot i guess. it all went into one giant / partition.
apparently opensuse leap 15.4 just started months ago on a brand new laptop, with FDE, gives the user ancient style LUKS1 on disk format. is this possible? yet another stuff that opensuse ships historic bits to its userbase? started with 15.4 from scratch on that brand new laptop.
<https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup> <https://security.stackexchange.com/questions/179988/luks2-on-disk-format-specifications>
sudo cryptsetup luksDump /dev/nvme0n1p2 ..... LUKS header information for /dev/nvme0n1p2 Version: 1 Cipher name: aes Cipher mode: xts-plain64 Hash spec: sha256 Payload offset: 4096 MK bits: 512
but this didnt answer the question if leap 15.4 and the infrastructure already? uses? can use? this argon2id?
i guess argon and all that fancy stuff only showed up like years ago with LUKS2 on disk format. being way too cool and fancy to make it into leap 15.4. 15.5 doing any better? any chances? ty
On 2023-04-18 16:33, cagsm wrote:
On Tue, Apr 18, 2023 at 4:19 PM cagsm <cumandgets0mem00f@gmail.com> wrote:
On Tue, Apr 18, 2023 at 4:13 PM Andrei Borzenkov <arvidjaar@gmail.com> wrote:
leap 15.4, full disk encryption (FDE), luks I suppose. I am not an expert (TM). reading this recent article: <https://mjg59.dreamwidth.org/66429.html> comes up with the question if ones distro supports stuff beyond PBKDF2, e.g. argon2id If you are concerned, use separate /boot and encrypt / the way you like. Or use TPM to avoid this problem to start with. wow cool thanks for the reply but this didnt help a bit? i use the stuff that simple opensuse 15.4 installer gave me. all on a single nvme with some uefi active laptop big brand. secureboot is activated but this laptop also boots with secureboot disabled. but uefi only no classic bios. now what? where does tpm come into play here and how does this help according to the article of shortcoming or weak pbkdf2 algo? they strongly advise for that argon stuff. lsblk doesnt show separate boot i guess. it all went into one giant / partition.
apparently opensuse leap 15.4 just started months ago on a brand new laptop, with FDE, gives the user ancient style LUKS1 on disk format. is this possible? yet another stuff that opensuse ships historic bits to its userbase? started with 15.4 from scratch on that brand new laptop.
<https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup> <https://security.stackexchange.com/questions/179988/luks2-on-disk-format-specifications>
sudo cryptsetup luksDump /dev/nvme0n1p2 ..... LUKS header information for /dev/nvme0n1p2
Version: 1 Cipher name: aes Cipher mode: xts-plain64 Hash spec: sha256 Payload offset: 4096 MK bits: 512
Same as I have. Yes, LUKS 1. Beta:~ # file -s /dev/nvme0n1p2 /dev/nvme0n1p2: LUKS encrypted file, ver 1 [aes, xts-plain64, sha256] UUID: 43662ac8-... Beta:~ #
but this didnt answer the question if leap 15.4 and the infrastructure already? uses? can use? this argon2id?
i guess argon and all that fancy stuff only showed up like years ago with LUKS2 on disk format. being way too cool and fancy to make it into leap 15.4. 15.5 doing any better? any chances?
Remember that Leap is basically frozen in time to what version zero had. By definition and intention. Besides that, mere mortals like us can not really understand encryption. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 18.04.2023 17:19, cagsm wrote:
On Tue, Apr 18, 2023 at 4:13 PM Andrei Borzenkov <arvidjaar@gmail.com> wrote:
leap 15.4, full disk encryption (FDE), luks I suppose. I am not an expert (TM). reading this recent article: <https://mjg59.dreamwidth.org/66429.html> comes up with the question if ones distro supports stuff beyond PBKDF2, e.g. argon2id If you are concerned, use separate /boot and encrypt / the way you like. Or use TPM to avoid this problem to start with.
wow cool thanks for the reply but this didnt help a bit? i use the
Well, if you were as concerned by this security problem as you sound, you certainly would look for ways to solve it, not to complained about SUSE.
stuff that simple opensuse 15.4 installer gave me. all on a single nvme with some uefi active laptop big brand. secureboot is activated but this laptop also boots with secureboot disabled. but uefi only no classic bios. now what? where does tpm come into play here and how does this help according to the article of shortcoming or weak pbkdf2 algo? they
With TPM there is no KDF, key is encrypted by TPM using (hopefully) random secret that never leaves TPM. Read comments for the blog post.
strongly advise for that argon stuff.
lsblk doesnt show separate boot i guess. it all went into one giant / partition.
but this didnt answer the question if leap 15.4 and the infrastructure already? uses? can use? this argon2id?
As long as you insist on "default installation with single partition and /boot part of /" it is not possible because grub2 does not support Argon (and still does not support it upstream). It is not rocket science to manually install on two partitions and convert root to LUKS2 with Argon. This conversion only needs to be done once.
On Tue, Apr 18, 2023 at 7:40 PM Andrei Borzenkov <arvidjaar@gmail.com> wrote:
As long as you insist on "default installation with single partition and /boot part of /" it is not possible because grub2 does not support Argon (and still does not support it upstream). It is not rocket science to manually install on two partitions and convert root to LUKS2 with Argon. This conversion only needs to be done once.
hi there, what do you mean i would insist on anything? i pointed out what a then-current leap 15.4 was offering as default. thanks for pointing out that the user is a malice. as always. anyhow, in the light of incoming ALP changes or what was it again? what is advised these days if one starts from scratch with say 15.4 or 15.5 even, what partition layout is advised that we have a future-proof? way to partition the disks? a separate /boot partition and what file system for it? would this separate /boot be non-encrypted? how does this not collide with safety and security with todays systems when secureboot uefi and whatnot and then the full disk encryption of everything? but this /boot ? thanks for helping. ty.
participants (3)
-
Andrei Borzenkov -
cagsm -
Carlos E. R.