View previous topic :: View next topic |
Author |
Message |
happysmash27 Apprentice
Joined: 28 Mar 2016 Posts: 220
|
Posted: Thu Apr 30, 2020 6:11 pm Post subject: LUKS2 new default that breaks backwards compatibility? |
|
|
emerging @world (IT FINALLY ACTUALLY WORKS \\\(⌢ヮ⌢)/ !) I get the following very worrying warning:
Code: | >>> Running pre-merge checks for sys-fs/cryptsetup-2.3.1
* WARNING! WARNING! WARNING!
* You have chosen LUKS2 as your default format.
* This can break LUKS1 backwards compatibility.
* Enable "luks1_default" USE flag if you need backwards compatibility.
|
I am currently on cryptsetup 2.2.0. Is this a new change for this version, and should I enable luks1_default to make sure my disks work, or is this something that was already in my current version? My primary disk was formatted (with luks) in 2016, my second disk was formatted maybe in 2018, and my third disk was formatted in early 2020. |
|
Back to top |
|
|
fturco Veteran
Joined: 08 Dec 2010 Posts: 1181 Location: Italy
|
Posted: Mon May 04, 2020 8:22 am Post subject: |
|
|
You can obtain your current LUKS encrypted partitions version with the following command:
Code: | cryptsetup luksDump "${partition}" | grep Version |
|
|
Back to top |
|
|
389292 Guru
Joined: 26 Mar 2019 Posts: 504
|
Posted: Mon May 04, 2020 9:58 am Post subject: |
|
|
You can't boot from LUKS2 encrypted drive, GRUB doesn't support it, well, it kind of does, but it doesn't support new LUKS2 features like argon2id, which makes the whole LUKS2 encryption useless for a boot drive. If you have LUKS1 encrypted drive but want to use new version of cryptsetup you just add --type luks1 to your initramfs init file for the decryption stage, I'm not sure how it would work with autogenerators. cryptsetup is perfectly backward compatible, you just should be very careful with the --type option you provide, both during the new encryption and then later for decryption. |
|
Back to top |
|
|
fturco Veteran
Joined: 08 Dec 2010 Posts: 1181 Location: Italy
|
Posted: Mon May 04, 2020 1:38 pm Post subject: |
|
|
As an example, my root partition is encrypted with LUKS2, but my boot partition is unencrypted. In this case GRUB seems to work fine. |
|
Back to top |
|
|
sdauth Guru
Joined: 19 Sep 2018 Posts: 587 Location: Ásgarðr
|
Posted: Fri May 15, 2020 12:07 pm Post subject: |
|
|
FWIW, I just upgraded to cryptsetup 2.3.2 (because new json-c update was causing a compilation error with cryptsetup 2.2.2) and added the "luks1_default" USE as recommended.
Then, there was no need to modify --type lvm to --type lvm1. System boots just fine. I guess --type lvm is enough as long as you set luks1_default USE flag with cryptsetup.
Here is the relevant part in my custom initramfs :
Code: | cryptsetup open "\${crypt_root}" lvm --type luks --key-file /crypto_key.bin || \
cryptsetup open "\${crypt_root}" lvm --type luks || \
rescue_shell "Decryption failed." |
Next step would be maybe to see if I can convert my existing device to LUKS2.
EDIT : I successfully converted my fully encrypted device to luks2
Simple as booting from a livecd, and run (with the drive unmounted AND without any mapping prior to that ! Read the manual carefully )
Code: | cryptsetup convert /dev/sda1 --type luks2 |
Worth to mention that the initramfs needs "run/cryptsetup" directories, otherwise it will fail to boot.
Also, my fully encrypted device is unlocked from GRUB payload with coreboot. You need a recent build of GRUB so if you're using coreboot, compile GRUB straight from latest source code and generate a new payload. |
|
Back to top |
|
|
SarahS93 l33t
Joined: 21 Nov 2013 Posts: 705
|
Posted: Wed Jan 20, 2021 2:04 am Post subject: |
|
|
sda1 boot is not crypted
sda2 root is crypted with luks1
can the system boot with cryptsetup 2.3.2 or is there trouble? |
|
Back to top |
|
|
|