home.social

#luks2 — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #luks2, aggregated by home.social.

  1. Xubuntu 26.04 LTS (beta) - Installation with FDE failed. The preconfigured encrypted setup option, failed with Python arguments errors. And manually configured and partitioned setup failed, because it did not detect device mapped root correctly -> not possible to install on it. Let’s hope the final version fixes these both annoying issues. I did update the installer with latest version just before running the install, so the image had even older installer, which I didn’t use. #Xubuntu #LTS #LUKS2 #FDE #fail #installation #Linux

  2. I realized never worked for me because I maintained my /boot inside an encrypted volume alongside /, /home, etc.

  3. This week has been full of major improvements to my setup across my . I now have:
    1. Significantly faster boot times due to quicker decryption by separating out and into separate volumes.
    2. Upgrade from to (while most of the rest of my setup)
    3. Better visuals for LUKS passphrase prompts using (finally)

    I couldn't have asked for more improvements in barely two days.

  4. This week has been full of major improvements to my #Linux setup across my #ThinkPads. I now have:
    1. Significantly faster boot times due to quicker #LUKS decryption by separating out #boot and #EFI into separate volumes.
    2. Upgrade from #LUKS1 to #LUKS2 (while most of the rest of my setup)
    3. Better visuals for LUKS passphrase prompts using (finally) #plymouth

    I couldn't have asked for more improvements in barely two days.

  5. This week has been full of major improvements to my #Linux setup across my #ThinkPads. I now have:
    1. Significantly faster boot times due to quicker #LUKS decryption by separating out #boot and #EFI into separate volumes.
    2. Upgrade from #LUKS1 to #LUKS2 (while most of the rest of my setup)
    3. Better visuals for LUKS passphrase prompts using (finally) #plymouth

    I couldn't have asked for more improvements in barely two days.

  6. This week has been full of major improvements to my #Linux setup across my #ThinkPads. I now have:
    1. Significantly faster boot times due to quicker #LUKS decryption by separating out #boot and #EFI into separate volumes.
    2. Upgrade from #LUKS1 to #LUKS2 (while most of the rest of my setup)
    3. Better visuals for LUKS passphrase prompts using (finally) #plymouth

    I couldn't have asked for more improvements in barely two days.

  7. This week has been full of major improvements to my #Linux setup across my #ThinkPads. I now have:
    1. Significantly faster boot times due to quicker #LUKS decryption by separating out #boot and #EFI into separate volumes.
    2. Upgrade from #LUKS1 to #LUKS2 (while most of the rest of my setup)
    3. Better visuals for LUKS passphrase prompts using (finally) #plymouth

    I couldn't have asked for more improvements in barely two days.

  8. Gut, dass es #TestDisk gibt: Jemand überschrieb versehentlich eine Partitionstabelle (GPT). Darauf befand sich nur eine #LUKS2-Partition. Mit #TestDisk ließ sich das zum Glück regeln.

    Aber ganz trivial war es dann doch nicht: TestDisk erkennt nur die Minimalgröße von LUKS-Partitionen und stellt diese wieder her und kennt nicht das tatsächliche Ende. Und entschlüsseln ließ sich das Ding auch nicht: "Invalid argument" nach korrekter Angabe des Schlüssels.

    Stellt sich raus: Die Partitionsgröße muss ein Vielfaches der Sektorgröße (hier 4096) sein, sonst geht da gar nix. Also auf die nächstgrößere Partitionsgröße mit parted erweitert und dann gings. :awesome:

    #Linux #Encryption #LUKS

  9. I know probably nobody's gonna care, but support for #Argon2 was finally merged in upstream #grub and I'm so happy. I kinda disliked the fact that we had to rely on downstream patches. Now that it's all upstream, I can setup full disk encryption, including /boot, with #luks2 on my #libreboot #thinkpad

  10. Current progress on my system is installed #nixos with #btrfs and #luks2 oh and I also have a swap file but nothing else really. I tried doing secureboot but I've decided to do it later. As for now I'll have to learn how to govern my Nix lol. This will take a while :ablobcatneon:

  11. So i just tried to install #Debian13 with only one ESP and two #LUKS2 partitions of which one is for swap and other for the OS itself.

    And guess what?
    The installer error'ed out due to the fact it could not install the #Grub #Bootloader, because i didn't setup a separate partition for `/boot`.
    Well i fucking do NOT want grub on my system, I want to use `systemd-boot`!
    It doesn't even want to install sd -boot if it can't install grub first!

    So once again "up-yours" #Debian....🖕

  12. I finally got my #ArchLinux disk encryption upgraded to #LUKS2. It certainly was a challenge because #grub does not seem to play nicely with it but I did get it to work. Grub has a bug in it where passphrases entered from the keyboard need to use PBDKF2 and key files need to use Argon2id. Once I figured this out, everything worked smoothly.

  13. Arch Linux mit vollständiger Festplattenverschlüsselung

    GRUB Bootloader zusammen mit LUKS2 und BTRFS Dateisystem Die Einrichtung von Arch Linux mit vollständiger Festplattenverschlüsselung durch LUKS2 bietet ein hohes Maß an Sicherheit für Benutzerdaten und Systemintegrität. LUKS2 (Linux […]

    #arch #btrfs #grub #installation #linux #luks #luks2 #verschlüsselung

    dirkwouters.de/arch-linux-mit-

  14. I organized my #storage like this. I think it's quite well thought out. All disks are SED hardware encrypted with TCG OPAL, root @ and @ home subvolumes are on #btrfs (mdadm RAID1), additionally encrypted with #LUKS2. A fast storage for less important local data is on NVMe drives. Data on large SATA drives is encrypted in LUKS images or using a cloud-friendly filesystems (#gocryptfs), quickly synchronized via LAN sync, and efficiently synced with cloud storage using block-level sync.

  15. Achievement unlocked: used systemd-cryptenroll with a newly-installed TPM2 device in my home server to automatically unlock a LUKS2 container (which contains a ZFS pool). I still need to enable Secure Boot on this machine, but this is progress.

    #luks2 #systemd #zfs

  16. @downey

    As you mentioned reencrypt, that's about encrypting existing data? Then maybe this #RHEL guide helps:
    access.redhat.com/documentatio

    Or just have a complete backup (you should anyway), wipe, create a #LUKS2 partition and possibly #LVM on it and restore..

  17. It seems my #GRUB understands both argon2i and argon2id now… #cryptodisk #luks2

  18. It seems my #GRUB understands both argon2i and argon2id now… #cryptodisk #luks2

  19. It seems my #GRUB understands both argon2i and argon2id now… #cryptodisk #luks2

  20. It seems my #GRUB understands both argon2i and argon2id now… #cryptodisk #luks2

  21. It seems my #GRUB understands both argon2i and argon2id now… #cryptodisk #luks2

  22. @mjg59

    Thank you for sounding the alert!

    I identified a minor issue with your otherwise nice explanation: According to my sources (man cryptsetup, #rfc9106), all #argon2 varieties are memory-hard. RFC 9106 is even titled “Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications”.

    However, given that there are known attacks against #argon2i, it seems wise to use #argon2id instead. It is also what is recommended in the RFC.

    As a #QubesOS user, I just checked the state of affairs there:

    The cryptsetup that comes with QubesOS 3.x used #luks1, and those who did an in-place upgrade to 4.x still have that unless they converted to #luks2 manually (as detailed in the migration guide).

    The cryptsetup in QubesOS 4.x uses #luks2, but it still defaults to #argon2i unfortunately.

  23. If you plan to use Grub 2.06 with LUKS2 note that:
    > - Argon2id (cryptsetup default) and Argon2i PBKDFs are not supported (GRUB bug #59409), only PBKDF2 is.
    > - grub-install does not support creating a core image that could be used for unlocking LUKS2.
    (wiki.archlinux.org/title/GRUB#)

    Just had a hard long time debugging because I assumed full support which is not the case yet.

    Also `grub-mkconfig` or `grub-install` do not bother to warn you about any incompatibility. The crypto commands are just silently omitted. 😑

    #grub #grub206 #luks #luks2 #linux #bootchain