Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • T tails
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 928
    • Issues 928
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 18
    • Merge requests 18
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • tails
  • tails
  • Issues
  • #15450

Closed
Open
Created Mar 23, 2018 by Ghost User@ghost

Create LUKS2 persistent volumes by default

Originally created by @je843 on #15450 (Redmine)

Cryptsetup 2.0.x supports the LUKS2 format that includes the Argon2i and Argon2id hash algorithms. Argon2 is a memory-hard hash that strengthens low-entropy passphrases.
Attacker costs should be much higher then the current Cryptsetup 1.X which uses PBKDF2 which hashes with SHA-256.

cryptsetup allows converting existing LUKS volumes to LUKS2. But for the first iteration, let’s only consider using LUKS2 for newly created persistent volumes.

Status and Next Steps

Most of the work was done on (not merged) !256 (closed), aka wip/feature/15450-luks2, already.

Next steps are:

  • #18040
  • guestfs' luks_open fails with Not enough available memory to open a keyslotNot enough available memory to open a keyslot on some host testing systems

Related issues

  • Blocked by sysadmin#17731 (closed)
  • Related to #14468 (closed)
  • Blocked by #15944 (closed)
  • Blocked by #17457 (closed)
Edited Nov 26, 2020 by intrigeri
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking