| View previous topic :: View next topic |
| Author |
Message |
happysmash27
Apprentice
Joined: 28 Mar 2016
Posts: 220
|
 Posted: Thu Apr 30, 2020 6:11 pm Post subject: LUKS2 new default that breaks backwards compatibility? |
 |
|
emerging @world (IT FINALLY ACTUALLY WORKS \\\(⌢ヮ⌢)/ !) I get the following very worrying warning:
| Code: | >>> Running pre-merge checks for sys-fs/cryptsetup-2.3.1
* WARNING! WARNING! WARNING!
* You have chosen LUKS2 as your default format.
* This can break LUKS1 backwards compatibility.
* Enable "luks1_default" USE flag if you need backwards compatibility.
|
I am currently on cryptsetup 2.2.0. Is this a new change for this version, and should I enable luks1_default to make sure my disks work, or is this something that was already in my current version? My primary disk was formatted (with luks) in 2016, my second disk was formatted maybe in 2018, and my third disk was formatted in early 2020. |
|
| Back to top |
|
 |
fturco
Veteran
Joined: 08 Dec 2010
Posts: 1181
Location: Italy
|
| Posted: Mon May 04, 2020 8:22 am Post subject: |
|
|
You can obtain your current LUKS encrypted partitions version with the following command:
| Code: | | cryptsetup luksDump "${partition}" | grep Version |
|
|
| Back to top |
|
|
389292
Guru
Joined: 26 Mar 2019
Posts: 504
|
| Posted: Mon May 04, 2020 9:58 am Post subject: |
|
|
| You can't boot from LUKS2 encrypted drive, GRUB doesn't support it, well, it kind of does, but it doesn't support new LUKS2 features like argon2id, which makes the whole LUKS2 encryption useless for a boot drive. If you have LUKS1 encrypted drive but want to use new version of cryptsetup you just add --type luks1 to your initramfs init file for the decryption stage, I'm not sure how it would work with autogenerators. cryptsetup is perfectly backward compatible, you just should be very careful with the --type option you provide, both during the new encryption and then later for decryption. |
|
| Back to top |
|
|
fturco
Veteran
Joined: 08 Dec 2010
Posts: 1181
Location: Italy
|
| Posted: Mon May 04, 2020 1:38 pm Post subject: |
|
|
| As an example, my root partition is encrypted with LUKS2, but my boot partition is unencrypted. In this case GRUB seems to work fine. |
|
| Back to top |
|
|
sdauth
Guru
Joined: 19 Sep 2018
Posts: 587
Location: Ásgarðr
|
| Posted: Fri May 15, 2020 12:07 pm Post subject: |
|
|
FWIW, I just upgraded to cryptsetup 2.3.2 (because new json-c update was causing a compilation error with cryptsetup 2.2.2) and added the "luks1_default" USE as recommended.
Then, there was no need to modify --type lvm to --type lvm1. System boots just fine. I guess --type lvm is enough as long as you set luks1_default USE flag with cryptsetup.
Here is the relevant part in my custom initramfs :
| Code: | cryptsetup open "\${crypt_root}" lvm --type luks --key-file /crypto_key.bin || \
cryptsetup open "\${crypt_root}" lvm --type luks || \
rescue_shell "Decryption failed." |
Next step would be maybe to see if I can convert my existing device to LUKS2.
EDIT : I successfully converted my fully encrypted device to luks2
Simple as booting from a livecd, and run (with the drive unmounted AND without any mapping prior to that ! Read the manual carefully  )
| Code: | | cryptsetup convert /dev/sda1 --type luks2 |
Worth to mention that the initramfs needs "run/cryptsetup" directories, otherwise it will fail to boot.
Also, my fully encrypted device is unlocked from GRUB payload with coreboot. You need a recent build of GRUB so if you're using coreboot, compile GRUB straight from latest source code and generate a new payload. |
|
| Back to top |
|
|
SarahS93
l33t
Joined: 21 Nov 2013
Posts: 705
|
| Posted: Wed Jan 20, 2021 2:04 am Post subject: |
|
|
sda1 boot is not crypted
sda2 root is crypted with luks1
can the system boot with cryptsetup 2.3.2 or is there trouble? |
|
| Back to top |
|
|
|
Other Things Gentoo
