GNU bug report logs - #38826
doc: Mention no LUKS2 for luks-device-mapping

Previous Next

To reply to this bug, email your comments to 38826 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: David Trudgian <dave <at> trudgian.net>
To: guix-patches <at> gnu.org
Subject: doc: Mention no LUKS2 for luks-device-mapping
Date: Mon, 30 Dec 2019 21:47:01 -0600

[Message part 1 (text/plain, inline)]

I spent a bit of time trying to mount some existing LUKS2 devices on
boot in a Guix system. They worked to open and mount manually in a
booted system, but not on boot with luks-device-mapping. Eventually
worked out LUKS2 is not supported by the code that inspects the
superblock directly for the (LUKS1) UUID.

A mention LUKS2 is not supported in the docs might be nice.

Cheers,

Dave Trudgian

[0001-Mention-no-LUKS2-in-luks-device-mapping-doc.patch (text/plain, attachment)]

Message #8 received at 38826 <at> debbugs.gnu.org (full text, mbox):

From: Danny Milosavljevic <dannym <at> scratchpost.org>
To: David Trudgian <dave <at> trudgian.net>
Cc: 38826 <at> debbugs.gnu.org
Subject: Re: [bug#38826] doc: Mention no LUKS2 for luks-device-mapping
Date: Thu, 2 Jan 2020 23:32:56 +0100

[Message part 1 (text/plain, inline)]

Hi,

On Mon, 30 Dec 2019 21:47:01 -0600
David Trudgian <dave <at> trudgian.net> wrote:

> I spent a bit of time trying to mount some existing LUKS2 devices on
> boot in a Guix system. They worked to open and mount manually in a
> booted system, but not on boot with luks-device-mapping. Eventually
> worked out LUKS2 is not supported by the code that inspects the
> superblock directly for the (LUKS1) UUID.
> 
> A mention LUKS2 is not supported in the docs might be nice.

I agree.

But better yet would be to implement LUKS2 in the uuid code.
Since you have such a device could you find where the magic number /
uuid parts in it are?

Both references [1] and [2] say that the magic number is 6 bytes and the
uuid is at offset 168 Byte, length 40 Byte.  Endianness is also big endian
in both, so I have no idea where the problem comes from.  The code should
work for both.

[1] LUKS1 on-disk format: https://gitlab.com/cryptsetup/cryptsetup/-/wikis/LUKS-standard/on-disk-format.pdf
[2] LUKS2 on-disk format: https://habd.as/post/external-backup-drive-encryption/assets/luks2_doc_wip.pdf

[Message part 2 (application/pgp-signature, inline)]

Message #11 received at 38826 <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: Danny Milosavljevic <dannym <at> scratchpost.org>,
 David Trudgian <dave <at> trudgian.net>
Cc: 38826 <at> debbugs.gnu.org
Subject: Re: [bug#38826] doc: Mention no LUKS2 for luks-device-mapping
Date: Thu, 02 Jan 2020 23:53:42 +0100

[Message part 1 (text/plain, inline)]

Danny, David,

Danny Milosavljevic 写道：
> David Trudgian <dave <at> trudgian.net> wrote:
>> A mention LUKS2 is not supported in the docs might be nice.
>
> I agree.

Same.  Would you consider submitting a patch, David?  Or writing 
the text?

> But better yet would be to implement LUKS2 in the uuid code.

Has LUKS2 support[0] been added to GRUB yet?  Last I checked it 
hadn't.

Which isn't to say that we shouldn't get our own house in order, 
of course.

Kind regards,

T G-R

[0]: 
https://lists.gnu.org/archive/html/grub-devel/2019-11/msg00000.html

[signature.asc (application/pgp-signature, inline)]

Message #14 received at 38826 <at> debbugs.gnu.org (full text, mbox):

From: David Trudgian <dave <at> trudgian.net>
To: Tobias Geerinckx-Rice <me <at> tobias.gr>
Cc: David Trudgian <dave <at> trudgian.net>,
 Danny Milosavljevic <dannym <at> scratchpost.org>, 38826 <at> debbugs.gnu.org
Subject: Re: [bug#38826] doc: Mention no LUKS2 for luks-device-mapping
Date: Thu, 02 Jan 2020 19:56:33 -0600

[Message part 1 (text/plain, inline)]

Hi Danny, Tobias,

>>> A mention LUKS2 is not supported in the docs might be nice.
>>
>> I agree.
>
> Same.  Would you consider submitting a patch, David?  Or writing the
> text?

My original email had a patch attached (or should have). Apologies -
there was no [PATCH] on the subject. Attaching here in case.

>> But better yet would be to implement LUKS2 in the uuid code.

I intend to take a look at this when I get time in the next week or so.

> Has LUKS2 support[0] been added to GRUB yet?  Last I checked it
> hadn't.

I don't believe GRUB has LUKS2 support for booting from an encrypted
partition merged yet. The last I saw there was a patch for LUKS2 but it
didn't support the Argon 2i PBKDF which is the default you get when you
use LUKS2 in distros where a separate `/boot` is kept unencrypted, so it
wouldn't be useful yet.

It would still be good to be able to boot from LUKS1 but mount non-boot
LUKS2 partitions, so people like me coming from other distros can mount
their encrypted `/home` or similar without having to convert to LUKS1.

I have actually converted to LUKS1, which requires converting the key to
pbkdf2 first...

cryptsetup luksConvertKey --pbkdf=pbkdf2 /dev/sdc1
cryptsetup convert /dev/sdc1 --type luks1

...but I can easily create LUKS2 things to work on the UUID code.

Cheers,

DT

[0001-Mention-no-LUKS2-in-luks-device-mapping-doc.patch (text/x-patch, attachment)]

Message #17 received at 38826 <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: 38826 <at> debbugs.gnu.org
Subject: Fwd: [bug #55093] Add LUKS2 support
Date: Fri, 10 Jan 2020 16:39:00 +0100

[Message part 1 (text/plain, inline)]

Guix,

Good news:

Eli Schwartz (在 Savannah)：
> Follow-up Comment #5, bug #55093 (project grub):
>
> Yay, this is implemented in
> https://git.savannah.gnu.org/cgit/grub.git/commit/?id=365e0cc3e7e44151c14dd29514c2f870b49f9755

I'll take a look later.  We'll see whether or not it would be 
prudent to ship this as-is in Guix.

Kind regards,

T G-R

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 38826 <at> debbugs.gnu.org (full text, mbox):

From: David Trudgian <dave <at> trudgian.net>
To: "Tobias Geerinckx-Rice" <me <at> tobias.gr>
Cc: 38826 <38826 <at> debbugs.gnu.org>
Subject: Re: [bug#38826] Fwd: [bug #55093] Add LUKS2 support
Date: Fri, 10 Jan 2020 13:03:22 -0600

[Message part 1 (text/plain, inline)]

>> Yay, this is implemented in
>> https://git.savannah.gnu.org/cgit/grub.git/commit/?id=365e0cc3e7e44151c14dd29514c2f870b49f9755
>
> I'll take a look later.  We'll see whether or not it would be prudent
> to ship this as-is in Guix.


I had a look at this before, and the issue remaining is that the LUKS2
support in GRUB via this patch is not compatible with the default PBKDF
that is going to be used by cryptsetup when creating LUKS2 partitions.

Looking at `cryptsetup --help` on Guix or elsewhere will show that the
default LUKS2 PBKDF is argon2i. Unfortunately only pbkdf2 is supported by
this GRUB2 patch (it's the default PBKDF for LUKS1).

It's possible to create LUKS2 encrypted partitions using pbkdf2, but
this means they aren't using a PBKDF of the same strength that most
people expect from LUKS2 use elsewhere - in distros where an
unencrypted `/boot` is used to avoid the direct support in GRUB problem.

I'm not sure if this is a major concern or not here?

Have spent some of my morning writing up about encryption in Singularity
containers, which uses LUKS2... so this is a fun topic to see in my
mailbox right now :-)

Cheers,

DT

[Message part 2 (text/html, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.