Calamares Uses LUKS1 When Encrypting Partitions in New Installations

Should Calamares be set to use LUKS2 now when encrypting partitions? GRUB gained support for LUKS2 back in January:

1 Like

That would cause some havoc for people who use grub to boot multiple distros since that version of grub won’t be present on other distros for some time.

1 Like

Might there be the possibility that in calamares I can choose which version of LUKS is used?
I only install EOS on my machines (sometimes together with Windows :see_no_evil:) and will not get in trouble with grub.

1 Like

basically it needs only to change the luks command from luks to luks2 … so should be possible to change this on the run for calamares…


Originally the cryptsetup luksFormat in Calamares did not specify a luks type.

The release of cryptsetup 2.0 changed the default from luks1 to luks2, which lead to broken installs because grub was unable to decrypt a luks2 container.

Calamares eventually patched with cryptsetup luksFormat --type luks1 .

Now grub supports luks2 decryption, after it being in the dev queue for years, but the type is probably still explicitly luks1 in Calamares.

This is not necessarily a bad thing. Not all distros would have the new grub, particularly Debian based distros, and luks1 is still solid.

Maybe when Debian 11 is released a change to Calamares could be done? Either omit a specific type and use the cryptsetup default (now luks2), or allow a choice of luks container type.


i do not read all of this … but this should give the needed information…


I did not read all but many of the posts. They are still discussing if an option to switch from LUKS1 to LUKS2 for cryptsetup should be included or not.

I agree with this statement.

Until full LUKS2 grub support is implemented the proposed benefits …

are negligible.


Reading up on Arch Wiki and grub is definitely not ready for mainline luks2 usage.

Aside from no argon2 support … grub-install won’t support unlocking luks2 containers OOTB.

Yeah, nah.