Public bug reported: Currently, there is no way to configure the PBKDF for dmcrypt when running cryptsetup [1]. However, it is possible to do [2]. The default PBKDF is Argon2i, which is not currently FIPS 140-3 compliant. This means users of 22.04 FIPS will not be able to autoinstall in a compliant manner without additional steps [3].
I propose that we allow users to set this flag to one of the available algorithms and pass this as a cli options in the creation that I linked. --- [1] https://github.com/canonical/curtin/blob/master/curtin/commands/block_meta.py#L1702C1-L1710C61 [2] https://manpages.ubuntu.com/manpages/jammy/en/man8/cryptsetup.8.html [3] https://ubuntu.com/security/certifications/docs/2204/fips#p-99917-fips-and-full-disk-encryption ** Affects: curtin Importance: Undecided Status: New ** Affects: subiquity (Ubuntu) Importance: Undecided Status: New ** Also affects: ubuntu Importance: Undecided Status: New ** Also affects: subiquity (Ubuntu) Importance: Undecided Status: New ** No longer affects: ubuntu -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2100555 Title: [Feature Request] Allow changing PBKDF in dm_crypt storage module for FIPS compliance To manage notifications about this bug go to: https://bugs.launchpad.net/curtin/+bug/2100555/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
