pull down to refresh

PSA: upgrade your LUKS key derivation functionmjg59.dreamwidth.org/66429.html
363 sats \ 2 comments \ @m0wer 1 Jul tech
write
preview
related posts
19 sats \ 0 replies \ @fd055dcc2f 1 Jul
don't do it if you don't want to there's no threat
downside of luks2 is a bigger header size, takes more space to backup.
PS Warning: GRUB's support for LUKS2 is limited; see GRUB#Encrypted /boot for details. Use LUKS2 with PBKDF2 (cryptsetup luksFormat --pbkdf pbkdf2) for partitions that GRUB will need to unlock.
reply
0 sats \ 0 replies \ @m0wer OP 1 Jul

How to know if you need to upgrade

Step 1: Find your encrypted device

Run this command to identify your encrypted partition:
lsblk
Look for entries with type "crypt" - the device above it in the tree is your actual encrypted device (something like /dev/sda2 or /dev/nvme0n1p2).

Step 2: Check your LUKS version and KDF

Once you've identified your encrypted device, run:
sudo cryptsetup luksDump /dev/whatever
(Replace /dev/whatever with your actual device name)

What to look for:

Check the Version:
  • If it shows Version: 1, you're using LUKS1 and definitely need to upgrade
  • LUKS1 only supports PBKDF2, which is vulnerable to GPU-based attacks
Check the PBKDF (Key Derivation Function): Look for the PBKDF: line in each keyslot section. You need to upgrade if you see:
  • pbkdf2 - old and vulnerable to GPU attacks
  • argon2i - better but not GPU-resistant
You're good if you see:
  • argon2id - this is the current recommended KDF that's resistant to GPU attacks

Quick summary:

  • LUKS1 + PBKDF2 = definitely upgrade
  • LUKS2 + PBKDF2 = upgrade recommended
  • LUKS2 + argon2i = upgrade recommended
  • LUKS2 + argon2id = you're good!
reply