EndeavourOS installer & LUKS settings

Hi all, I was reading this article about LUKS security: https://mjg59.dreamwidth.org/66429.html

In short it says we should be using LUKS2 + argon2id for modern luks encryption and explains how to check your currently installed system.

Here it shows “version: 1” (should be 2) and “Key Slot: enabled” (instead of argon2id). Now, I don’t know if the installer in the current iso uses a different luks version, as I installed EOS a long time ago… I might just reinstall but if it uses the same version then I think I’ll try the “convert” steps detailed in the article and hope for the best…

What do you think? Do you know what are the luks settings in Nova-03-2023_R3 ?

Endeavouros is using luks1 because grub doesn’t support luks2 + argonid.

3 Likes

Thanks for your reply! Maybe then luks2 could be made the default if systemd-boot is chosen in the installer?

Yes, i have actually been considering that option.

However, Calamares doesn’t support that easily so i would need to do some work to implement it.

2 Likes

The comments in that article suggest that GRUB shouldn’t have problems with luks2 if /boot is unencrypted, since once the kernel is loaded it’s in charge of unlocking the volumes. So that would be another possibility, i.e. if you keep the boot partition unencrypted you can use luks2.

It’s the only time when i’ll say that soystemd is better than grub at something…And something important.

Two things:

  • I implemented luks2 support in the installer for systemd-boot over the weekend. It should be in our next release.
  • Using an unencrypted /boot would defeat the reasons we continue to support grub for UEFI installs
2 Likes

Great, thanks!

1 Like

6 posts were split to a new topic: How manually set the ESP to /boot

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.