Skip to content

guides/fde: Clarify GRUB LUKS2 support #705

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
abenson merged 1 commit into from
Nov 19, 2022
Merged

guides/fde: Clarify GRUB LUKS2 support #705

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions src/installation/guides/fde.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,15 @@ Device Start End Sectors Size Type
## Encrypted volume configuration

[Cryptsetup](https://man.voidlinux.org/cryptsetup.8) defaults to LUKS2, yet GRUB
releases before 2.06 only had support for LUKS1. Therefore, it might make sense
to force LUKS1 if you wish to achieve better compatibility.
releases before 2.06 only had support for LUKS1.

LUKS2 is only partially supported by GRUB; specifically, only the PBKDF2 key
derivation function is
[implemented](https://git.savannah.gnu.org/cgit/grub.git/commit/?id=365e0cc3e7e44151c14dd29514c2f870b49f9755),
which is *not* the default KDF used with LUKS2, that being Argon2i ([GRUB Bug
59409](https://savannah.gnu.org/bugs/?59409)). LUKS encrypted partitions using
Argon2i (as well as the other KDF) can *not* be decrypted. For that reason, this
guide only recommends LUKS1 be used.

Keep in mind the encrypted volume will be `/dev/sda2` on EFI systems, since
`/dev/sda1` is taken up by the EFI partition.
Expand Down