LUKS2 + YubiKey Bio https://funzt.info/howto/linux/2023/07/16/luks2-+-yubikey-bio.html #HOWTO #Linux #LUKS2

Now I tried to achieve the same (including encrypted /boot) with a Standard #Debian 12 NetInstall.

This time using #LVM having one Volume Group with separate Logical Volumes for root, swap and home

Pure hell!

This involved switching to a different TTY during install and booting into Rescue Mode after install.

When will #grub get an official patch to *fully* support #LUKS2 ? This was the biggest hurdle to overcome. Eventually got it working, albeit using LUKS1

#Tails 5.14 Ships with Automatic Migration to #LUKS2 :linux: 🔒

https://linuxiac.com/tails-5-14-ships-with-automatic-migration-to-luks2/

@gnulinux Danke für die Artikelreihe!
Mittlerweile ist es dank #archinstall überraschend einfach, #Arch-#Linux zu installieren. Nach vielen Installationstests scheint mir tatsächlich aber nur Gnome eine brauchbare Oberfläche out of the box zu bieten. KDE und Cinnamon brauchen einige Nacharbeit, sway wird gar nicht erst gestartet.
Top: #LUKS2-Verschlüsselung (#manjaro ist leider immer noch auf #LUKS(1)) und #Wayland default bei Gnome und sogar bei KDE 😊

Die Maintainer des #Tails-Projekts haben in Version 5.13 neu das Tool curl ergänzt und setzen standardmäßig auf #LUKS2 für verschlüsselte Laufwerke. #linux
https://www.heise.de/news/Anonymisierendes-Linux-Tails-5-13-ergaenzt-curl-und-schwenkt-auf-LUKS2-9058142.html

#Tails 5.13 Enables #LUKS2 by Default for Persistent Storage and Encrypted Volumes. :linux: 🔒

https://9to5linux.com/tails-5-13-enables-luks2-by-default-for-persistent-storage-and-encrypted-volumes

It seems my #GRUB understands both argon2i and argon2id now… #cryptodisk #luks2

@mjg59

Thank you for sounding the alert!

I identified a minor issue with your otherwise nice explanation: According to my sources (man cryptsetup, #rfc9106), all #argon2 varieties are memory-hard. RFC 9106 is even titled “Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications”.

However, given that there are known attacks against #argon2i, it seems wise to use #argon2id instead. It is also what is recommended in the RFC.

As a #QubesOS user, I just checked the state of affairs there:

The cryptsetup that comes with QubesOS 3.x used #luks1, and those who did an in-place upgrade to 4.x still have that unless they converted to #luks2 manually (as detailed in the migration guide).

The cryptsetup in QubesOS 4.x uses #luks2, but it still defaults to #argon2i unfortunately.

Now that I made some changes to build #mobian #librem5 image with root filesystem over #LUKS2 volume, my librem5 now became my day to day device 👍

https://salsa.debian.org/Mobian-team/mobian-recipes/-/merge_requests/80

Thanks my #pinephone, you did a good job even if you are quite slow.
If I find the way to repair the microphone, I'll give you to someone 👋

(cc @mobian)

#Fosdem2023 had a couple of good talks around #FIDO2 and their applicability beyond web - login, #SSH authentication, #LUKS2 unlocking, etc.

#LWN has a good article about these talks[1] and you can find the full presentations on #Fosdem 's website[2].

[1] https://lwn.net/Articles/923656/
[2] https://fosdem.org/2023

https://fosdem.org/2023/schedule/event/passwordless/
https://fosdem.org/2023/schedule/event/security_remote_fido/

If you plan to use Grub 2.06 with LUKS2 note that:
> - Argon2id (cryptsetup default) and Argon2i PBKDFs are not supported (GRUB bug #59409), only PBKDF2 is.
> - grub-install does not support creating a core image that could be used for unlocking LUKS2.
(https://wiki.archlinux.org/title/GRUB#LUKS2)

Just had a hard long time debugging because I assumed full support which is not the case yet.

Also `grub-mkconfig` or `grub-install` do not bother to warn you about any incompatibility. The crypto commands are just silently omitted. 😑

#grub #grub206 #luks #luks2 #linux #bootchain

GRUB boot loader adds support for LUKS2 encrypted disks.

https://www.linuxexperten.com/news/grub-boot-loader-adds-support-luks2-encrypted-disks

https://git.savannah.gnu.org/cgit/grub.git/commit/?id=365e0cc3e7e44151c14dd29514c2f870b49f9755

#grub #luks2 #encryption

@Cheatha Da stellen sich mehrere Fragen: Soll eine Festplatte oder eine SSD verschlüsselt werden? Komplett oder nur eine Partition? Mit oder ohne Swap-Speicher? LUKS1 (geht mit GRUB, 8 Schlüssel) oder #LUKS2 (32 Schlüssel)? Und muss es unbedingt #Debian sein? Ob BIOS oder EFI ist glaub ich eher egal, außer dass EFI grundsätzlich eine eigene Boot-Partition braucht. Und auf LVM würde ich auch verzichten, wenn man es nicht wirklich braucht.
Ich bin eher bei #Manjaro zu Hause, hab aber wegen 32 Bit ein Netbook mit #MXLinux am Laufen, dessen Installer Verschlüsselung mustergültig beherrscht, auch LUKS2 (noch sehr selten). Deswegen hab ich das reine Debian da wieder runtergeworfen…