[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PSA for LUKS users

From: Vagrant Cascadian
Subject: Re: PSA for LUKS users
Date: Wed, 19 Apr 2023 21:03:54 -0700

On 2023-04-19, Felix Lechner via wrote:
> Given the broad popularity of LUKS full-disk encryption among our
> fellow Guix users, I thought the community might appreciate reading
> about potentially weak key-derivation functions in older LUKS
> installations. [1]
> The article even offers fixes, although I cannot say whether your
> system will boot after you follow the steps since I do not use LUKS
> personally. Stay safe!
> [1]

In short, those instructions will almost certainly break Guix System!

While recent grub2 finally has limited support for luks2, it only
supports the weaker KDF (key derivation function) (PBKDF2?), as I
understand it, though would be happy to be proven wrong!

Because Guix System does not yet support a separate /boot partition,
this means if you want "full-disk encryption" you are limited to weak
KDF for the whole filesystem, instead of just a weak /boot partition
(e.g. either luks1, luks2 with weaker pbkdf2, or entirely
unencrypted). There is a bug about being able to use a split /boot

Alternately, you could probably get a weaker encrypted rootfs (using
luks1 or luks2+PBKDF) and still have a state-of-the-art luks2+argon2id
partition for /home. Maybe if you were adventurous /var/guix, which
might allow detecting a compromise with "guix gc" which contains the
checksums of files in /gnu/store?

With both the split /boot approach or the weaker rootfs with stronger
/home partition, there is some risk of a (admittedly very sophisticated
and still probably quite expensive) evil maid attack.

Well... fun times, folks!

live well,

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]