You are not logged in. Please login or register.
We are very pleased and happy to announce the newest release of Hyperbola GNU/Linux-libre with v0.4.4.
See our official news for further details.
HyperForum → Packages → Question about Grub2 and Luks2
Hello,
I was planning to install Libreboot with full disk encryption (including /boot) using Luks2, but I saw a message that this requires Grub to be version 2.12 or higher to implement this scheme=> https://canoeboot.org/gnuboot.html#grub … ks-headers If I understood everything correctly.
How possible is it to build Grub 2.12 yourself using this PKGBUILD? https://aur.archlinux.org/cgit/aur.git/ … 9fa4c2f50d
I'm sorry but I don't know the answer to your question but I'm curious. Is there any need to use LUKS2?
Hello,
I was planning to install Libreboot with full disk encryption (including /boot) using Luks2, but I saw a message that this requires Grub to be version 2.12 or higher to implement this scheme=> https://canoeboot.org/gnuboot.html#grub … ks-headers If I understood everything correctly.
How possible is it to build Grub 2.12 yourself using this PKGBUILD? https://aur.archlinux.org/cgit/aur.git/ … 9fa4c2f50d
Good news actually, I am currently using luks2. As for FDE + /boot
Haven't tried, but I am sure its possible.
I am using FDE - /boot
Both guides are under the install/update part of the forum.
Long time ago, I used to use FDE - /boot
but the password entering twice was getting on my nerves... so yeah I lost interest.
Hello Zapper. Please clarify which version of Libreboot you are using? Stable 20230625 or test 20231106 which has Luks2 support for the entire disk.
Excerpt from the site https://canoeboot.org/docs/gnulinux/ This is also Leah’s site, it duplicates the information on the official site.
For all intentions, the average user cannot have a fully encrypted system on GNU Boot. They must leave /boot unencrypted on GNU+Linux distros.
Hello Maran . This is a personal matter for everyone. When I leave the house I close the door, someone leaves it open. This is the answer to your question.
Hello Maran . This is a personal matter for everyone. When I leave the house I close the door, someone leaves it open. This is the answer to your question.
The question was: What advantages has LUKS2? And where are issues with LUKS1? Here is a bit better explanation: https://tails.net/security/argon2id/index.en.html
Throgh thank you very much for the information .Good and useful article
I installed a fully encrypted Luks2 system including the boot partition and received the error:
error : disk 'lvmid /WuGDE4-Po2w-3n6d-9pcY-sqsoV-eTsq-aLxagJ' not foundHello Zapper. Please clarify which version of Libreboot you are using? Stable 20230625 or test 20231106 which has Luks2 support for the entire disk.
Excerpt from the site https://canoeboot.org/docs/gnulinux/ This is also Leah’s site, it duplicates the information on the official site.
For all intentions, the average user cannot have a fully encrypted system on GNU Boot. They must leave /boot unencrypted on GNU+Linux distros.
Stable 20230625 so... yeah.
Stable 20230625 so... yeah.
This means that you are not able to use Luks2 since luks2 uses argon2, which only the latest versions of libreboot support
zapper wrote:Stable 20230625 so... yeah.
This means that you are not able to use Luks2 since luks2 uses argon2, which only the latest versions of libreboot support
That's odd, I am currently using a laptop with luks2 and argon2. Very weird.
I tested a guide and it worked, disk cloned it onto my current hardware, no issues, etc... 
Look here: https://bbs.archlinux.org/viewtopic.php?id=281191
The fact is that the concept of FDE is not entirely correctly interpreted, as it is written here => https://cryptsetup-team.pages.debian.ne … boot.html, I agree with this. It seems to me that Full disk encryption should mean encrypting the entire disk including the /boot partition.
Now I want to ask you again)) Your entire disk is encrypted including the boot partition and your version of Libreboot is 20230625, are you sure?
Look here: https://bbs.archlinux.org/viewtopic.php?id=281191
Thanks for the help, maybe I didn’t mount the /boot partition and this led to an error, but this is also not indicated in the wiki https://wiki.parabola.nu/Installing_Par … ng_/boot), I’ll try again...
Hello Throgh . Please tell me, do you understand what is written here => https://libreboot.org/docs/linux/#encry … ith-argon2 from an installation point of view ?
I don't understand ...
Does this mean I need to install Grub? I have already tried this option and the system does not boot.
I also came across similar information here that you don’t need to install Grub https://github.com/hankbao/libreboot/bl … risquel.md
You do not need to install GRUB at all, since in Libreboot, you are using the GRUB payload on the ROM to boot your system.
Only from what I have read so far: That paragraph is using not dedicated information and more assumptions like "it should work". So this is done from perhaps what was tested depending on the system-distribution in usage and that can also exclude Hyperbola as for example we have different other options alike. But last but not least: A full disk encryption bears always a high risk so all the assumptions in that documentation stay also assumptions for many other systems.
I completely agree with you that this is more of a “this should work” suggestion and not an instruction! Your answer confirmed my opinion.
I now tried the option of mounting the boot partition, but I also received an error
error : disk 'lvmid /WuGDE4-Po2w-3n6d-9pcY-sqsoV-eTsq-aLxagJ' not foundWhen I tried to use the
cryptomount -a command I got the answer
Unknown command cryptomountI think this is a problem with Grub...
So I highly doubt this was more than a test and only "could work somehow" noted. So this explains also the problems we had and have with explaining and creating a fully working documentation of full disk encryption. And that also relies to the failed wiki-articles we had before.
As you know, I wanted to write another instruction for all users on full disk encryption, including the /boot partition using Luks2 /argon2, which only the latest versions of libreboot support, but so far I haven’t succeeded, I’ll continue to work...
Maybe I'll try other distributions for testing...
I wanted to ask you. Can I build this PKGBULD => Grub 2.12 => https://aur.archlinux.org/cgit/aur.git/ … 9fa4c2f50d to install it and continue installing Luks2?
If I have Grub 2.12 (pkgdesc="GNU GRand Unified Bootloader (2) with Argon2 and better LUKS2 support") will the new version of Grub be able to decrypt the disk?
I cannot say if you can build this PKGBUILD: I have not tried it and have no time for the moment doing anything with it. The problem I see with many AUR-packages and also Arch-packages in the meantime: Their quality is going really down. Using git as only source is really not the way to go:
"grub::git+https://git.savannah.gnu.org/git/grub.git"
"grub-extras::git+https://git.savannah.gnu.org/git/grub-extras.git"
"gnulib::git+https://git.savannah.gnu.org/git/gnulib.git"Both Arch GNU/Linux official packages and also AUR-packages are quite often doing that and the results vary therefore. Using stable tarballs or packaged files is way better so you can also really say if this is 2.12 or something else like the PKGBUILD is doing that in its versioning:
2.06.r499.ge67a551a4I cannot even tell which version this really is and therefore also not recommend using this PKGBUILD. Also the official GRUB-PKGBUILD is doing that. I cannot answer your questions therefore.
The problem also here is quite different and from my current information the problem of Libreboot itself. Updating and sidewise sending the information that only newest Grub-versions are supporting some features is not a real way forward, more backwards. It is leaving people behind and systems like Hyperbola also with the question: Why updating a working package? Just so that the newest version from Libreboot is supporting encryption? That's not the problem of Hyperbola and the essential question of the sphere for free, libre software. Jumping behind upstream, leaving problems opened while closed with versions before. Never a good way.
Never change a running system!
I asked about PKGBUILD for a reason. As you understand, the safety of Hyperbola users is the number 1 factor, even if you are busy!
I would also like to give you a link to a useful and interesting article => https://dys2p.com/en/2023-05-luks-security.html in which professionals in the field of encryption claim that you need to use argon2id! Hyperbola currently uses argon2i. Out of curiosity, I checked Trisquel (I’m just not comparing the example) and there cryptsetup has version 2.4 and not 2.3!
Since version 2.4.0 (released August 18, 2021), cryptsetup uses Argon2id by default.
I am sure that we need to have instructions for installing Luks2 +argon2id +Libreboot including the /boot partition to protect users.
Jim, for real: I won't start this kind of debate again. You have done them numerous times now. Should I list that method? Come on, I will:
1. You are posting some information.
2. I react with some further information.
3. You are comforting first with then stating that features are needed and not working.
4. You post some PKGBUILD or updated other package, with the point that this is needed but not working.
5. Now we are here, again at the point where you try to harden your argumentation with some further articles and why you think this is needed.
Okay, now I repeat one essential part of free, libre software: Working together. You can try building on your own, jim. You can experiment and tryout on your own for real. It is NOT my task to do that while I'm for real rebuilding around 80 packages at the moment and HAVE NO TIME to go in that. I have written that numerous times before and repeat this one last time. I'm one person. I have no issues with the points stated, but I have one essential issue: Demanding indirect from me attention and working immediately on this point while I always stick to the roadmap set before. And there is NO "we update grub because it offers even more security" for the moment.
If you want to bring that on the point: Do it, but please with support and not with showing the results not working or some PKGBUILD we clearly cannot use. It is "Do it yourself" as mentality! You have approved now that LUKS2 is for the moment not working the way you think in need. Okay, recognized. Either you support with updating and approval or you bring someone in supporting us there. But I repeat one last time: I won't update grub under no point for the moment.
Perhaps this is a problem with Libreboot, including with Leah, who makes mistakes, which is probably why separate projects like Gnuboot are being created.
By the way, I wanted to ask you, do you have a relationship with https://libreboot.at/ why when I click here https://libreboot.at/docs/gnulinux/
and Installing Hyperbola GNU+Linux, with Full-Disk Encryption (including /boot) site redirects here.
But I'm talking about something else. We need to have Luks2 +argon2id including encryption of the /boot partition which is important!
Please tell me how to do this?
I repeat: I'm the wrong person in doing this, jim. And I won't engage within this alone. Also: It is not my task now to search ways enabling this. If you want this: Please again, bring possible support into or people from the community have interest.
And we have no relation with GNU/Boot (the original libreboot.at).
I won't attend any longer in this thread. Sorry, but under the current circumstances I cannot provide help here. I have done already what I can do and also have forwarded that thread. When there is some reaction from the people I have forwarded, I can post again. For now: I'm out.
Okay, I got you. I'll wait for other users to respond...
I wanted to correct you! It’s not me who thinks that something needs to be corrected, but professionals in the field of encryption! This is an important adjustment!
There are a number of countermeasures against the above-mentioned attacks on encrypted data (media). The algorithms and software used should be as up-to-date as possible (e.g. LUKS2 with Argon2id) https://dys2p.com/en/2023-05-luks-security.html
In our estimation, based on the available information, PBKDF2 and LUKS1 cannot be held exclusively responsible for decryption. It is important to use a strong password or passphrase and to follow the described recommendations when using them. Using up-to-date software and algorithms increases security and reduces possible attack surfaces.
Upgrading the key derivation function is not a one-time task. You should check every few years whether the function you are using is still considered secure, and adjust the level of difficulty. This applies not only to LUKS, but to all password-based encryption tools such as VeraCrypt or KeePassXC.
HyperForum → Packages → Question about Grub2 and Luks2
Powered by PunBB, supported by Informer Technologies, Inc.