Possible security issue when choosing encrypted install of EOS


when installing EndeavourOS from current live cd (Endeavouros_Cassini_Nova-03-2023_R1.iso) and using the encrypted install option in the installer, it creates an installation using only a LUKS v1 header for the encryption key and PBKDF2 for key derivation. Whereas as LUKS v2 header and argon2id should be used to match current cryptographic standards. When choosing to encrypt drives in GNOME Disks later on a LUKS2 header and argon2id is automatically used.

Source (GER): https://blog.fefe.de/?ts=9ac0aab7
(ENG) https://mjg59.dreamwidth.org/66429.html

Is this an issue to report directly to calamares or is this an issue that should be fixed within the distributions liveCD?

P.S.: I converted my LUKS header after installation on two different devices and it works without problems for me, but the mentioned settings should be the default settings instead of the outdated ones.

There already is an issue open at Calamares.

There just isn’t a lot we can do about. The problem is that grub does not support argon2id.

1 Like

Mhm, I see. I have a slightly adjusted setup where /boot is unencrypted and only / is encrypted. So GRUB loads just fine and I guess the kernel handles the decryption with argon2id then.

I hope someone will find the time and has the knowledge to write a patch for GRUB.