Bug#919725: [pkg-cryptsetup-devel] Bug#919725: cryptsetup: switch to LUKS2 by default for new installs
On Fri, 2019-01-18 at 15:01 -0800, Matt Taggart wrote: > Is it ready to become the default for new installs yet? Being not much more than just a user of it and regularly following the upstream mailing list… I'd rather suggest to be conservative in that matter. AEAD is still marked as experimental by upstream and while there are other reasons to use LUKS2 (which could be quite stable already) it's crypto what were talking about: security is the upmost goal (which is also why most other writers and myself seemed rather concerned about Debian's intention to default to TRIM enabled in dm-crypt). A good thing, which makes it IMO also less pressing to switch to LUKS2 is, that LUKS1 can be in-place-converted to LUKS2 in most cases. So users can most of the time switch later, without having to rewrite everything. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature
Bug#919725: [pkg-cryptsetup-devel] Bug#919725: cryptsetup: switch to LUKS2 by default for new installs
Hi Matt, On Fri, 18 Jan 2019 at 15:01:59 -0800, Matt Taggart wrote: > There was some discussion on the debian-boot list during the > libcryptsetup transition about the format > > https://lists.debian.org/debian-boot/2017/12/msg00231.html > > including a comment, > > "feel free to poke us again for partman-crypto when the new format > looks mature enough so that we see about adding support for it." Please see https://salsa.debian.org/installer-team/partman-crypto/merge_requests/1 and this thread https://www.saout.de/pipermail/dm-crypt/2018-July/005925.html . We'd much prefer if the d-i default LUKS format was identical to the cryptsetup(8) binary here, and we'd rather avoid a Debian-specific patch to change the LUKS format version in the binary. At least not without upstream's blessing; the above thread indicates a few subtle — now fixed — issues with libblkid for instance, so we should really be careful here). Upstream is aware of the upcoming freeze, and AFAIK the plan is still to release 2.1, defaulting to LUKS2, in time for Buster. I actually planned to bump the thread shortly before FOSDEM :-) (Should we miss the deadline, we'll consider a Debian-specific patch in src:cryptsetup and ask for upstream's opinion.) Cheers, -- Guilhem. signature.asc Description: PGP signature
Bug#919725: cryptsetup: switch to LUKS2 by default for new installs
Package: cryptsetup Version: 2:2.0.6-1 Severity: wishlist LUKS2 format was introduced in 2:2.0.0~rc0-1 which went into debian on 03 Oct 2017. There was some discussion on the debian-boot list during the libcryptsetup transition about the format https://lists.debian.org/debian-boot/2017/12/msg00231.html including a comment, "feel free to poke us again for partman-crypto when the new format looks mature enough so that we see about adding support for it." Is it ready to become the default for new installs yet? I started thinking about this when I saw that Fedora is planning on moving to it by default https://www.phoronix.com/scan.php?page=news_item=Fedora-30-LUKS2-Default Thanks, -- Matt Taggart tagg...@debian.org