-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
150 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,150 @@ | ||
| +++ | ||
| title = "Tumbleweed with LUKS2 and Argon2" | ||
| date = 2024-03-31T16:01:47+02:00 | ||
| draft = false | ||
| +++ | ||
|
|
||
| The steps below show how you can install openSUSE Tumbleweed with [LUKS2](https://gitlab.com/cryptsetup/LUKS2-docs/blob/main/luks2_doc_wip.pdf) and [Argon2id](https://datatracker.ietf.org/doc/html/rfc9106) as Password-Based Key Derivation Function (PBKDF) when using [systemd-boot](https://news.opensuse.org/2024/03/05/systemd-boot-integration-in-os) instead of GRUB2 as bootloader. | ||
|
|
||
| 1. Perform a normal installation and modify the booting options on the confirmation page at the end | ||
| before the installation begins | ||
| 1. Select `systemd-boot` as bootloader | ||
| 1. After the installation, reboot and boot into the rescue system of the installation medium | ||
| 1. Login as `root` | ||
| 1. Convert `LUKS1` to `LUKS2` with: | ||
|
|
||
| ```bash | ||
| cryptsetup convert --type luks2 /dev/sdaX | ||
| ``` | ||
|
|
||
| 1. Check the result with: | ||
|
|
||
| ```bash | ||
| cryptsetup luksDump /dev/sdaX | ||
| LUKS header information | ||
| Version: 2 | ||
| Epoch: 4 | ||
| Metadata area: 16384 [bytes] | ||
| Keyslots area: 2064384 [bytes] | ||
| UUID: XXXXXXXXXXXXXXXXXXXXX | ||
| Label: (no label) | ||
| Subsystem: (no subsystem) | ||
| Flags: (no flags) | ||
| Data segments: | ||
| 0: crypt | ||
| offset: 2097152 [bytes] | ||
| length: (whole device) | ||
| cipher: aes-xts-plain64 | ||
| sector: 512 [bytes] | ||
| Keyslots: | ||
| 0: luks2 | ||
| Key: 512 bits | ||
| Priority: normal | ||
| Cipher: aes-xts-plain64 | ||
| Cipher key: 512 bits | ||
| PBKDF: PBKDF2 | ||
| Time cost: 7 | ||
| Memory: 1048576 | ||
| Threads: 4 | ||
| Salt: XXXXXXXXXXXXXXXXXX | ||
| AF stripes: 4000 | ||
| AF hash: sha256 | ||
| Area offset:290816 [bytes] | ||
| Area length:258048 [bytes] | ||
| Digest ID: 0 | ||
| Tokens: | ||
| Digests: | ||
| 0: pbkdf2 | ||
| Hash: sha256 | ||
| Iterations: 129774 | ||
| Salt: XXXXXXXXXXXXXXXXXX | ||
| Digest: XXXXXXXXXXXXXXXXXX | ||
| ``` | ||
|
|
||
| 1. Change the PBKDF: | ||
|
|
||
| ```bash | ||
| cryptsetup luksConvertKey --pbkdf argon2id /dev/sdaX | ||
| ``` | ||
|
|
||
| 1. Check the result again with: | ||
|
|
||
| ```bash | ||
| cryptsetup luksDump /dev/sdaX | ||
| LUKS header information | ||
| Version: 2 | ||
| Epoch: 4 | ||
| Metadata area: 16384 [bytes] | ||
| Keyslots area: 2064384 [bytes] | ||
| UUID: XXXXXXXXXXXXXXXXXXXXX | ||
| Label: (no label) | ||
| Subsystem: (no subsystem) | ||
| Flags: (no flags) | ||
| Data segments: | ||
| 0: crypt | ||
| offset: 2097152 [bytes] | ||
| length: (whole device) | ||
| cipher: aes-xts-plain64 | ||
| sector: 512 [bytes] | ||
| Keyslots: | ||
| 0: luks2 | ||
| Key: 512 bits | ||
| Priority: normal | ||
| Cipher: aes-xts-plain64 | ||
| Cipher key: 512 bits | ||
| PBKDF: argon2id | ||
| Time cost: 7 | ||
| Memory: 1048576 | ||
| Threads: 4 | ||
| Salt: XXXXXXXXXXXXXXXXXX | ||
| AF stripes: 4000 | ||
| AF hash: sha256 | ||
| Area offset:290816 [bytes] | ||
| Area length:258048 [bytes] | ||
| Digest ID: 0 | ||
| Tokens: | ||
| Digests: | ||
| 0: pbkdf2 | ||
| Hash: sha256 | ||
| Iterations: 129774 | ||
| Salt: XXXXXXXXXXXXXXXXXX | ||
| Digest: XXXXXXXXXXXXXXXXXX | ||
| ``` | ||
|
|
||
| 1. Reboot into your system | ||
|
|
||
| Regarding the used cipher, you can benchmark the available ones with | ||
|
|
||
| ```bash | ||
| cryptsetup benchmark | ||
| # Tests are approximate using memory only (no storage IO). | ||
| PBKDF2-sha1 1528536 iterations per second for 256-bit key | ||
| PBKDF2-sha256 2092966 iterations per second for 256-bit key | ||
| PBKDF2-sha512 1546572 iterations per second for 256-bit key | ||
| PBKDF2-ripemd160 897753 iterations per second for 256-bit key | ||
| PBKDF2-whirlpool 691672 iterations per second for 256-bit key | ||
| argon2i 7 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time) | ||
| argon2id 7 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time) | ||
| # Algorithm | Key | Encryption | Decryption | ||
| aes-cbc 128b 1282.2 MiB/s 3857.8 MiB/s | ||
| serpent-cbc 128b 104.2 MiB/s 820.8 MiB/s | ||
| twofish-cbc 128b 242.6 MiB/s 435.4 MiB/s | ||
| aes-cbc 256b 962.9 MiB/s 3095.0 MiB/s | ||
| serpent-cbc 256b 107.9 MiB/s 819.7 MiB/s | ||
| twofish-cbc 256b 248.5 MiB/s 426.4 MiB/s | ||
| aes-xts 256b 3825.8 MiB/s 3821.4 MiB/s | ||
| serpent-xts 256b 715.6 MiB/s 723.8 MiB/s | ||
| twofish-xts 256b 388.7 MiB/s 390.9 MiB/s | ||
| aes-xts 512b 3086.5 MiB/s 3083.5 MiB/s | ||
| serpent-xts 512b 710.5 MiB/s 710.8 MiB/s | ||
| twofish-xts 512b 384.4 MiB/s 385.9 MiB/s | ||
| ``` | ||
|
|
||
| and decide if you want a different cipher instead of `aes-xts-plain64`. The results above represent an Intel i7-8665U. |