I finally got my #ArchLinux disk encryption upgraded to #LUKS2. It certainly was a challenge because #grub does not seem to play nicely with it but I did get it to work. Grub has a bug in it where passphrases entered from the keyboard need to use PBDKF2 and key files need to use Argon2id. Once I figured this out, everything worked smoothly.

Mir ist aufgefallen, das bei #TuxedoOS das Benutzer Passwort nicht mit dem #luks2 Passwort synchronisiert wird.

z.B. user Passwort in KDE ändern oder einen neuen benutzer anlegen. Ich kann dennoch die Verschlüsselung nur mit dem initialen Passwort, bei der Installation aufschließen.

Offenbar gibt es auch keine Möglichkeit per GUI ein Passwort hinzuzufügen. Sehe nur die Möglichkeit mit cryptsetup auf Konsole zu arbeiten.

Übersehe ich was? @tuxedocomputers

The #GMKtec NucBox M5 Plus is now up and running @chimera_linux

Thx again @q66 for puting all theat time and work in what is rapidly becoming my fav Linux Distro of all times.

#linux #kde #screenshot #btrfs #LUKS2 #2025

Vollständige Festplattenverschlüsselung unter Manjaro Linux

Manjaro Linux bringt mit Calamares einen hervorragenden Installer mit, der aber leider nur eingeschränkte Möglichkeiten bezüglich des Partitionenlayout bietet. Eine komplette Verschlüsselung aller Linux Partitionen, inkl. /boot und dann noch […]

#btrfs #grub #luks #luks2 #manjaro #verschlüsselung

https://dirkwouters.de/vollstaendige-festplattenverschluesselung-unter-manjaro-linux/

Arch Linux mit vollständiger Festplattenverschlüsselung

GRUB Bootloader zusammen mit LUKS2 und BTRFS Dateisystem Die Einrichtung von Arch Linux mit vollständiger Festplattenverschlüsselung durch LUKS2 bietet ein hohes Maß an Sicherheit für Benutzerdaten und Systemintegrität. LUKS2 (Linux […]

#arch #btrfs #grub #installation #linux #luks #luks2 #verschlüsselung

https://dirkwouters.de/arch-linux-mit-vollstaendiger-festplattenverschluesselung/

I organized my #storage like this. I think it's quite well thought out. All disks are SED hardware encrypted with TCG OPAL, root @ and @ home subvolumes are on #btrfs (mdadm RAID1), additionally encrypted with #LUKS2. A fast storage for less important local data is on NVMe drives. Data on large SATA drives is encrypted in LUKS images or using a cloud-friendly filesystems (#gocryptfs), quickly synchronized via LAN sync, and efficiently synced with cloud storage using block-level sync.

Te lo Enseño y Te lo Cuento,Seguridad física en Linux(TPM2.0, Yubikey, Luks2, clevis ySystemd) [aHAJCrYG0VY]

https://fediverse.tv/videos/watch/b453ef5d-5ce1-4c8d-a9dc-63a62778b6ab

Is this still true ...

via https://docs.voidlinux.org/installation/guides/fde.html#encrypted-volume-configuration ...

『Cryptsetup defaults to #LUKS2, yet #GRUB releases before 2.06 only had support for LUKS1.

LUKS2 is only partially supported by GRUB; specifically, only the PBKDF2 key derivation function is implemented, which is not the default KDF used with LUKS2, that being Argon2i (GRUB Bug 59409 https://savannah.gnu.org/bugs/?59409 [0]). LUKS encrypted partitions using Argon2i (as well as the other KDF) can not be decrypted. For that reason, this guide only recommends LUKS1 be used.』

... per that bug link, seems so. Damn ... ah yes, all is coming back to me now :flashback: when I saw Justine S' https://social.treehouse.systems/@JustineSmithies efforts of installing encrypted ZFS root (& encrypted swap & hibernation)[1].

---
0- See also: GNU GRUB - Bugs: bug #55093, Add [full] LUKS2 support, https://savannah.gnu.org/bugs/index.php?55093

1- Have the bookmark ...
Installing Void Linux with encrypted Root on ZFS, published 20240103, https://justine.smithies.me.uk/void-linux-with-encrypted-root-on-zfs.html

Achievement unlocked: used systemd-cryptenroll with a newly-installed TPM2 device in my home server to automatically unlock a LUKS2 container (which contains a ZFS pool). I still need to enable Secure Boot on this machine, but this is progress.

#luks2 #systemd #zfs

New: Encryption with LUKS2 when installing from ISO image

Read more: https://www.tuxedocomputers.com/en/New-ISO-Image-for-TUXEDO-OS-with-encryption.tuxedo

#news #encryption #installation #ISO #luks2 #linux #linuxuser

Linux Weekly Roundup: EndeavourOS Galileo with KDE, Rocky Linux 9.3 Updates, Proxmox VE 8.1 Enhancements, and More!
#EndeavourOS #RockyLinux #Proxmox #FreeBSD #OpenMandriva #KDE #LUKS2 #Calamares #SecureBoot #CephReef #OpenSSH #Plasma
https://linuxtldr.com/weekly-roundup/

@abcdw what do you mean by #luks2 support, the two #guix patches or for #grub to expand from limited (pbkdf2 only) to full support?

LUKS2 + YubiKey Bio https://funzt.info/howto/linux/2023/07/16/luks2-+-yubikey-bio.html #HOWTO #Linux #LUKS2

#Tails 5.14 Ships with Automatic Migration to #LUKS2 :linux: 🔒

https://linuxiac.com/tails-5-14-ships-with-automatic-migration-to-luks2/

#Tails 5.13 Enables #LUKS2 by Default for Persistent Storage and Encrypted Volumes. :linux: 🔒

https://9to5linux.com/tails-5-13-enables-luks2-by-default-for-persistent-storage-and-encrypted-volumes

@downey

As you mentioned reencrypt, that's about encrypting existing data? Then maybe this #RHEL guide helps:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/encrypting-block-devices-using-luks_security-hardening#encrypting-existing-data-on-a-block-device-using-luks2_encrypting-block-devices-using-luks

Or just have a complete backup (you should anyway), wipe, create a #LUKS2 partition and possibly #LVM on it and restore..

It seems my #GRUB understands both argon2i and argon2id now… #cryptodisk #luks2

@mjg59

Thank you for sounding the alert!

I identified a minor issue with your otherwise nice explanation: According to my sources (man cryptsetup, #rfc9106), all #argon2 varieties are memory-hard. RFC 9106 is even titled “Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications”.

However, given that there are known attacks against #argon2i, it seems wise to use #argon2id instead. It is also what is recommended in the RFC.

As a #QubesOS user, I just checked the state of affairs there:

The cryptsetup that comes with QubesOS 3.x used #luks1, and those who did an in-place upgrade to 4.x still have that unless they converted to #luks2 manually (as detailed in the migration guide).

The cryptsetup in QubesOS 4.x uses #luks2, but it still defaults to #argon2i unfortunately.