LUKS2 the right way: Argon2

Version 2 of cryptsetup got a few new fancy options, one of them is the ability to use Argon2 as key derivation function.
Creating a LUKS2 volume with Argon2 as hash function is very easy:

sudo cryptsetup luksFormat -M luks2 --pbkdf argon2id -i 5000 /dev/sdb

Please note that grub still does not support it, so it can’t be used for boot drives.
Once the volume is created, to mount it run:

sudo cryptsetup luksOpen /dev/sdb <luks_volume_name>
sudo mkfs.xfs /dev/mapper/<luks_volume_name>
sudo mount /dev/mapper/<luks_volume_name> /mountpoint

To have the the volume mounted at boot add the following lines to the files:

<luks_volume_name> UUID=2e100f89-b0dd-44f3-9c0c-e8cab0d4fc14 none discard
/dev/mapper/<luks_volume_name> 	/mountpoint	xfs	defaults,x-systemd.device-timeout=0,noatime	0 0

To manually mount a LUKS volume run:

sudo cryptsetup luksOpen /dev/sdb <luks_volume_name>
sudo mount /dev/mapper/<luks_volume_name>

To manually unmount a LUKS volume run:

sudo umount /mountpoint
sudo cryptsetup luksClose /dev/sdb

To get info regarding a LUKS encrypted volume run:

sudo cryptsetup luksDump /dev/sdb

Here comes the fun part, let’s say we have a LUKS2 volume and we want to change key derivation algorithm to argon2i/d/id without having to re-encrypt the whole volume:

sudo dnf install cryptsetup-reencrypt
sudo cryptsetup-reencrypt --keep-key --pbkdf argon2id /dev/sdb

As a general not, Argon2id is the all around best variant of it, don’t use Argon2i or Argon2d unless you really know what you are doing
After changing crypttab and fstab remember to regenerate initramfs, to do so on Fedora/Centos/RHL run:

sudo dracut --regenerate-all --force

Generate a secure SSH key

In Fedora, CentOS and probably many other Linux distros “ssh-keygen” still defaults to RSA 2048.
People have not yet realized that the newer, and also faster, elliptic curve cryptography is available; even between my peers I still see that many of them are using old and insecure RSA based keys.
Since SSH clients support multiple keys transitioning to newer keys can be painless:
1. create a new elliptic curve key;
2. do not delete the old RSA key;
3. once you login into a server swap the old key with the new one.
Generating a new secure SSH key is pretty simple, just open a terminal and run:

ssh-keygen -o -a 256 -t ed25519

Generate a secure GPG key

For some reason “gpg –gen-key” still defaults to SHA1 and RSA2048, due to the known weaknesses of SHA1 it is probably a better idea to use SHA256.
First of all, we need to create a configuration file.

personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

To generate a new key type (also specify to use RSA 4096):

gpg --gen-key
### or
gpg --full-generate-key

Other useful commands are:

### Displays keys and short key IDs
gpg --list-keys
### Displays the full fingerprint of the specified key
gpg --fingerprint <short key ID>
### Remove GPG key from the local keyring
gpg --delete-secret-keys 2DA06294
gpg --delete-keys 2DA06294
### Export keys
$ gpg --output mygpgkey_pub.gpg --armor --export <short key ID>
$ gpg --output mygpgkey_sec.gpg --armor --export-secret-key <short key ID>

Those two .gpg files can now be imported in Thunderbird’s Enigmail or moved to other machines to be imported in the local keyring.

Resources
https://keyring.debian.org/creating-key.html