Persistent Storage: Use LUKS2
Originally created by @je843 on #15450 (Redmine)
Cryptsetup 2.0.x supports the LUKS2 format that includes the Argon2i and
Argon2id hash algorithms. Argon2 is a memory-hard hash that strengthens
Attacker costs should be much higher then the current Cryptsetup 1.X which uses PBKDF2 which hashes with SHA-256.
cryptsetup allows converting existing LUKS volumes to LUKS2. But for the first iteration, let’s only consider using LUKS2 for newly created persistent volumes.
Status and Next Steps
Most of the work was done on (not merged) !256 (closed), aka
Update: what follows is probably not needed anymore thanks to Use zram (!1064 - merged).
Next steps are:
- Bump memory requirements to 3GB (#18040)
Not enough available memory to open a keyslotNot enough available memory to open a keysloton some host testing systems
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information