Luks2, new cryptosetup release, new Qubes?

Same here, I would “just” have to change the sha256 to sha512 and everything else is “standard by default”

  • The Argon2i where “i” is for password cypher.
    Why not using Argon2d or Argon2id ?
    (Just for my own knowledge, as this is way out of my technical reach)

In January 2020 GRUB2 got a patch and is now able to handle LUKS2 headers, but only with the legacy PBKDF2 algorithm (Argon2i, NDLR). There are two problems here. The first is that it takes time until such a patch comes into a release version and even more time until it is distributed. Debian 10.4 (stable-branch) for example has still an older version of GRUB2 which is unable to handle LUKS2. And second, Argon2 is not supported by GRUB2 even with the mentioned initial LUKS2-patch.

If you were to create a LUKS2 /boot partition, chances are high that it will default to Argon2i. For /boot you would have to specify --pbkdf pbkdf2 while creating a new keyslot for GRUB2 (with the LUKS2-patch) to make this work.

1 Like

These are great questions for the LUKS developers. Please ask them and let us know.

Apparently there is someting with GRUB and Argon2id that is not quite straight,
Therefore understandably QUBES choose to set it to Argon2i only

This appears to be a potentially important issue:

Judging from the above post, argon2id should be preferred to argon2i, but not clear (given the above discussion and apparent grub issue) if argon2id is viable with Qubes at this time?

Yes, exactly what I found … and left me unsure

From what I have read elsewhere grub support is only important if /boot is encrypted. Does anyone know if Qubes encrypts /boot on clean install, by default?

No. /boot is aside from luks partitions.

actually, /boot/efi is outside the LVM/Luks, but /boot is inside
The Qubes instal guide page is outdated, it still mention Luks1 and /boot,
While in fact we are now using Luks2, argon2i and /boot/efi + /boot
So their page saying /boot is outside of the Luks is no longer true

Oh, so boot stays inside luks, but remains unencrypted? Could you please elaborate? Thanks!

When I do lsblk in dom0 on a default 4.1 installation, I see both /boot and /boot/efi outside of LUKS. What am I missing?

Which part exactly are you referring to? Do you mean this?

Did you know? By default, Qubes OS uses LUKS/dm-crypt to encrypt everything except the /boot partition.

On this page? I just updated that (or so I thought) four days ago. It doesn’t mention LUKS 1 vs. 2, but it does mention /boot. As I said above, it appears to me on my default 4.1 installation that /boot is outside of LUKS and that /boot obviously contains /boot/efi, so the statement seemed accurate to me. If it’s still not right, please help me get it right. Need specifics.

I don’t see LUKS mentioned anywhere else on this page, but if you have other places in mind, please provide exact links and quotations so that I know exactly what needs to be fixed.

1 Like

I can’t elaborate, I don’t have the tech level :wink:
But I can tell while inspecting the partitions after full auto install that the /boot/efi is outside, and everything else is inside (therefore including /boot)

oh ?! hum …
Now you make me doubt … last time I checked, after full auto install, I saw the /boot/efi “in clear” while everything else was inside the LUKS (therefore including /boot)
But maybe I was too quick looking at it and mixed ?
Anyway, it’s not so much about /boot, it’s more about the details f the “Redirecting…” being outdated as it doesn’t mention the necessity to create 2 partitions /boot/efi and /boot and the argon2 and such
As new material comes more and more often with several disks, especially NVMe, it would be great to include a chapter for multi-disk install, how do you install 1 partition / spread over 2 or 3 disks ?

I don’t want to create a new thread, so I’m hijacking this one. I converted my drive to LUKS2, and then changed the key to argon2id with sha512. Can you please confirm that everything is looking okay?

Paste expires in 3 days: Debian Pastezone

Oh, that page. Yes, that page has been known to be outdated for a long time, but no one has stepped up to update it. (I would do it myself, but I lack the knowledge.) [Update: Page removed.]

1 Like

Same here, I would gladely updateit myself, but it would be “on the surface” only, as any deeper technical knowledge is yet to be aquired …

Would you mind writing here the steps to do this changes ?
That’s exactly the mods I would like to do to my qubes 4.1.2 (Argon2id and 512)
Once I know how to do the partitionning I will be able to do the luks2
My wished partitionning:
sda1 /boot/efi
sda2 /boot
NVMe0p13 32GB /swap
NVMe0p14 32GB /tmp
NVMe1p1 1,8TB /
NVMe2p1 1,3TB /
NVMe2p2 512GB /home
I have no problem doing all the partition, but I don’t know how to have them all inside an LV and LUKS, especially the “/” being spread over 2 drives and the /tmp + Swap on an already used drive (hence partition # 13 and 14)

This is what I did, from LUKS to LUKS2 and then argon2id with SHA512.

sudo cryptsetup luksDump /dev/sdX
sudo cryptsetup luksHeaderBackup /dev/sdX --header-backup-file FILENAME
sudo cryptsetup convert /dev/sdX --type luks2
sudo cryptsetup luksConvertKey /dev/sdX --pbkdf argon2id --hash sha512

The backup file is a backup of your header, store it on a different disk than the one you intend to convert, if something goes wrong you can then restore it. I can’t help you past this with your setup, but this is what I had to do. luksDump will give your current settings and LUKS version, if it’s already version 2 you can skip the conversion and only convert the key.


Great ! thks :slight_smile:
That would allow me to just focuse on installing Qubes with the setup I want and forget tempoorarily the ctrl.alt.f2 mods
And once installed (The defult is Luks2 since Qubes 4.1) I will change the key to Argon2id and sha512
Unless someone is kind enough to get me out of my current situation and give me a full step.step to do the install AND the cryptosetup at once :wink:

For anyone wondering about this, I just did a fresh install of Qubes 4.2.0-rc1 and LUKS is set by default with argon2id. :slightly_smiling_face: