Calamares Uses LUKS1 When Encrypting Partitions in New Installations

Should Calamares be set to use LUKS2 now when encrypting partitions? GRUB gained support for LUKS2 back in January:

https://www.phoronix.com/scan.php?page=news_item&px=GRUB-Boots-LUKS2-Disk-Encrypt

1 Like

That would cause some havoc for people who use grub to boot multiple distros since that version of grub won’t be present on other distros for some time.

1 Like

Might there be the possibility that in calamares I can choose which version of LUKS is used?
I only install EOS on my machines (sometimes together with Windows :see_no_evil:) and will not get in trouble with grub.

1 Like

basically it needs only to change the luks command from luks to luks2 … so should be possible to change this on the run for calamares…

2 Likes

Originally the cryptsetup luksFormat in Calamares did not specify a luks type.

The release of cryptsetup 2.0 changed the default from luks1 to luks2, which lead to broken installs because grub was unable to decrypt a luks2 container.

Calamares eventually patched with cryptsetup luksFormat --type luks1 .

Now grub supports luks2 decryption, after it being in the dev queue for years, but the type is probably still explicitly luks1 in Calamares.

This is not necessarily a bad thing. Not all distros would have the new grub, particularly Debian based distros, and luks1 is still solid.

Maybe when Debian 11 is released a change to Calamares could be done? Either omit a specific type and use the cryptsetup default (now luks2), or allow a choice of luks container type.

3 Likes

i do not read all of this … but this should give the needed information…

2 Likes

I did not read all but many of the posts. They are still discussing if an option to switch from LUKS1 to LUKS2 for cryptsetup should be included or not.

I agree with this statement.

Until full LUKS2 grub support is implemented the proposed benefits …

are negligible.

EDIT :

Reading up on Arch Wiki and grub is definitely not ready for mainline luks2 usage.

https://wiki.archlinux.org/title/GRUB#LUKS2

Aside from no argon2 support … grub-install won’t support unlocking luks2 containers OOTB.

Yeah, nah.

2 Likes