another meaningless subtitle

LUKS2 the right way: Argon2

· by fabio · Read in about 2 min · (235 Words)
Argon2 cryptsetup Encryption fedora luks LUKS2

Version 2 of cryptsetup got a few new fancy options, one of them is the ability to use Argon2 as key derivation function.
Creating a LUKS2 volume with Argon2 as hash function is very easy:

sudo cryptsetup luksFormat -M luks2 --pbkdf argon2id -i 5000 /dev/sdb

Please note that grub still does not support it, so it can’t be used for boot drives.
Once the volume is created, to mount it run:

sudo cryptsetup luksOpen /dev/sdb <luks_volume_name>
sudo mkfs.xfs /dev/mapper/<luks_volume_name>
sudo mount /dev/mapper/<luks_volume_name> /mountpoint

To have the the volume mounted at boot add the following lines to the files:

<luks_volume_name> UUID=2e100f89-b0dd-44f3-9c0c-e8cab0d4fc14 none discard
/dev/mapper/<luks_volume_name>    /mountpoint xfs defaults,x-systemd.device-timeout=0,noatime 0 0

To manually mount a LUKS volume run:

sudo cryptsetup luksOpen /dev/sdb <luks_volume_name> mountpoint
sudo mount /dev/mapper/<luks_volume_name>

To manually unmount a LUKS volume run:

sudo umount /mountpoint
sudo cryptsetup luksClose /dev/mapper/<luks_volume_name>

To get info regarding a LUKS encrypted volume run:

sudo cryptsetup luksDump /dev/sdb

Here comes the fun part, let’s say we have a LUKS2 volume and we want to change key derivation algorithm to argon2i/d/id without having to re-encrypt the whole volume:

sudo dnf install cryptsetup-reencrypt
sudo cryptsetup-reencrypt --keep-key --pbkdf argon2id /dev/sdb

As a general not, Argon2id is the all around best variant of it, don’t use Argon2i or Argon2d unless you really know what you are doing
After changing crypttab and fstab remember to regenerate initramfs, to do so on Fedora/Centos/RHL run:

sudo dracut --regenerate-all --force