Luks2, new cryptosetup release, new Qubes?

Great !! So I would “just” have to change the sha256 to sha512 and everything else is “standard by default”
I can’t wait to try it !!

Same here, I would “just” have to change the sha256 to sha512 and everything else is “standard by default”

  • The Argon2i where “i” is for password cypher.
    Why not using Argon2d or Argon2id ?
    (Just for my own knowledge, as this is way out of my technical reach)

Suggestion:
In January 2020 GRUB2 got a patch and is now able to handle LUKS2 headers, but only with the legacy PBKDF2 algorithm (Argon2i, NDLR). There are two problems here. The first is that it takes time until such a patch comes into a release version and even more time until it is distributed. Debian 10.4 (stable-branch) for example has still an older version of GRUB2 which is unable to handle LUKS2. And second, Argon2 is not supported by GRUB2 even with the mentioned initial LUKS2-patch.

If you were to create a LUKS2 /boot partition, chances are high that it will default to Argon2i. For /boot you would have to specify --pbkdf pbkdf2 while creating a new keyslot for GRUB2 (with the LUKS2-patch) to make this work.

These are great questions for the LUKS developers. Please ask them and let us know.

Apparently there is someting with GRUB and Argon2id that is not quite straight,
Therefore understandably QUBES choose to set it to Argon2i only