Should Calamares be set to use LUKS2 now when encrypting partitions? GRUB gained support for LUKS2 back in January:
1 Like
That would cause some havoc for people who use grub to boot multiple distros since that version of grub won’t be present on other distros for some time.
1 Like
Might there be the possibility that in calamares I can choose which version of LUKS is used?
I only install EOS on my machines (sometimes together with Windows 
) and will not get in trouble with grub.
2 Likes
basically it needs only to change the luks command from luks to luks2 … so should be possible to change this on the run for calamares…
2 Likes
Originally the cryptsetup luksFormat in Calamares did not specify a luks type.
The release of cryptsetup 2.0 changed the default from luks1 to luks2, which lead to broken installs because grub was unable to decrypt a luks2 container.
Calamares eventually patched with cryptsetup luksFormat --type luks1 .
Now grub supports luks2 decryption, after it being in the dev queue for years, but the type is probably still explicitly luks1 in Calamares.
This is not necessarily a bad thing. Not all distros would have the new grub, particularly Debian based distros, and luks1 is still solid.
Maybe when Debian 11 is released a change to Calamares could be done? Either omit a specific type and use the cryptsetup default (now luks2), or allow a choice of luks container type.
3 Likes
i do not read all of this … but this should give the needed information…
2 Likes
I did not read all but many of the posts. They are still discussing if an option to switch from LUKS1 to LUKS2 for cryptsetup should be included or not.
I agree with this statement.
Until full LUKS2 grub support is implemented the proposed benefits …
are negligible.
EDIT :
Reading up on Arch Wiki and grub is definitely not ready for mainline luks2 usage.
https://wiki.archlinux.org/title/GRUB#LUKS2
Aside from no argon2 support … grub-install won’t support unlocking luks2 containers OOTB.
Yeah, nah.
2 Likes
Is this still an issue?
If grub-install supports PBKDF2 its totally fine to use, but I am not sure if it can be specified tru Calamares.
If you choose systemd-boot, we are using luks2. If you choose grub, luks1.
Does the current grub in Arch support argon2 now?
According to arch wiki:
This article or section is out of date.
Reason: Grub 2.14rc1 supports the Argon2i and Argon2id PBKDFs. See upstream commit. (Discuss in Talk:GRUB#grub 2:2.14rc1 added support for LUKS2 + argon2 encryption.)
And GRUB in repos is:
core/grub 2:2.14rc1.r54.g29f3131a-2
So I assume it is solved?
1 Like
patches from 2020 where some Argon2 code was imported just for header parsing, and in August 2025 a patch that adds grub_crypto_argon2() that references libgcrypt support), but not really any Argon2 KDF implementation for LUKS2 to unlock at boot in mainline GRUB ?
May i was not researching deep like vbery deep but looks like there are patches and stuff but no release including such?
also Archwiki talk:
I was able to confirm that I works on my system. I added an “out of date” note and I think we could remove most gotchas for LUKS2, but I’m wary about doing it now since it’s still in a RC and there are not many user confirmations that it works. —> https://wiki.archlinux.org/title/Talk:GRUB#grub_2:2.14rc1_added_support_for_LUKS2_+_argon2_encryption.
I just did some testing and it doesn’t seem like the current version of grub in the Arch repos is supporting luks2/argon2id yet.
1 Like
Does EOS installer use argon2 with luks2? 
Yes
1 Like
Current installer should use LUKS2 when systemd-boot chosen?
Yes
1 Like
Can you share how you testing this? Because currently I am struggling to install grub on systemd-boot EOS installation 
It also seems that GRUB and systemd-boot EOS installation ending in mounting EFI partition in different places, is this desired behavior? joekamprad
The quickest way is to do a grub install and then convert luks 1 to luks 2 and change the key to be argon2. This is quick and easy.
However, you can also start with systemd-boot and convert to grub, it is just more work that way.
Yes, it is deliberate. The reason is that people who use grub expect the ESP to be mounted at /boot/efi. However, outside of grub, this doesn’t make a lot of a sense so for systemd-boot we use the more standard /efi.
I noticed that grub install also creates key file in root fs, to avoid linux asks for key second time. Does it means that grub does not load initramfs image same way as systemd-boot does?