I installed endeavourOS 2 days ago and then, the next day, there was a newnrelease of endeavourOS. It’s supposed to have better encryption. Is it possible to upgrade encryption on Linux? An unrelated question: is it possible to change the password of an encrypted partition? I’m a beginner, so please explain your magical commands.

  • I assume you’re referring to this tidbit:

    Stronger LUKS2 encryption when chosen systemd-boot

    When LUKS encryption with systemd-boot is chosen, the system will be installed with a stronger LUKS2 encryption using argon2id.

    You can upgrade the PKDF if you want. There’s a guide in this article which assumes some preexisting technical knowledge. The commands should be simple enough, but you need to replace /dev/whatever with the path of your encrypted partition (like /dev/sda2, /dev/nvme0p2). You can find this path in the GUI disk management tool your desktop environment probably came with.

    If you use systemd-boot and follow that guide, you should be able to upgrade your security without any issue. However, it’s essential to ensure that 1) you are indeed using systemd-boot, as older bootloaders like Grub don’t support all recent key derivation functions, and 2) that your systemd-boot is up to date (just install updates through the normal means your distro provides to accomplish this).

    If you follow the guide, you will end up with a backup of the LUKS header which will allow you to restore the old key setup if something breaks. Be careful with that backup, because if someone with bad intentions finds it, it’ll basically undo the hard work you did to upgrade LUKS.

    I’m not entirely sure how critical this upgrade is, based on the fact there’s only one scarcely reported incident where the encryption was supposedly broken. There’s no reason why you shouldn’t want the best security you can get, but it’s not like there’s a commonly known secret trick to bypass your computer’s encryption; if it exists at all, it’s hidden very well by law enforcement agencies.

    As for the password question: yes, you can change the password. You can even use multiple passwords to unlock the same drive, or use password files in automated setups that are much stronger than simple passwords.

    Changing the password may be as simple as opening the disk management tool and right clicking the encrypted partition, depending on what desktop environment you chose to install. EndeavourOS very much prefers customisation over standardisation so I can’t tell you what tools you have installed on your system, but common desktop environments like Gnome will have advanced disk management tools that will allow you to change the password without any command line knowledge.

  • d3Xt3r@lemmy.nzM
    link
    fedilink
    arrow-up
    4
    arrow-down
    3
    ·
    edit-2
    1 year ago

    If you’re a beginner then don’t worry about the encryption. Unless you’re hiding from some three-letter agency or being targeted by hackers or something, LUKS1 encryption is more than good enough (for an average home user).

    But just so you’re aware, whilst it’s trivial to convert to LUKS2 using cryptsetup convert, you’ll need to first switch your bootloader to systemd-boot from GRUB, and that may not be a trivial process as there’re multiple variables involved - is your ESP big enough, have you mounted your ESP to /boot, whether you’re using secure boot or not, whether you’re dual-booting or not etc. Plus you’ll also need to manually create a bootloader config file that’s specific to your system, and maybe even add a line to load a CPU microcode file if you’re on Intel… there’s a lot of things to consider here.

    Honestly, I wouldn’t recommend EndeavorOS to you as a newbie, because it’s basically Arch, but by making the installation easy, you’re skipping all the knowledge you’d get of your system and how it works. And when it comes to situations like you’re in, you reach a roadblock because you took the easy path.

    If you’re really interested in Arch then I’d recommend wiping your system and install Arch manually, the Arch way.

      • d3Xt3r@lemmy.nzM
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        1 year ago

        Apparently there’s still some limitations, according to the Arch Wiki:

        • Initial LUKS2 support was added to GRUB 2.06, but with several limitations that are only partially addressed in GRUB 2.12rc1. See GRUB bug #55093.

        • Since GRUB 2.12rc1, grub-install can create a core image to unlock LUKS2. However, it only supports PBKDF2, not Argon2.

        • Argon2id (cryptsetup default) and Argon2i PBKDFs are not supported (GRUB bug #59409), only PBKDF2 is.

        • 0v0@sopuli.xyz
          link
          fedilink
          arrow-up
          4
          ·
          1 year ago

          Argon2id (cryptsetup default) and Argon2i PBKDFs are not supported (GRUB bug #59409), only PBKDF2 is.

          There is this patch, although I have not tested it myself. There is always cryptsetup luksAddKey --pbkdf pbkdf2.

          • d3Xt3r@lemmy.nzM
            link
            fedilink
            arrow-up
            4
            ·
            1 year ago

            That patch looks promising. But I wouldn’t recommend PBKDF2, I mean if you’re going to go thru the trouble of converting to LUKS2 for stronger encryption, might as well go for Argon2.

      • Skull giver@popplesburger.hilciferous.nl
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        1 year ago

        EndeavourOS switched their key derivation function to argon2id, which Grub doesn’t support yet. LUKS2 will work fine, but only with the older PBKDFs, not the one that Endeavour switched to as of a few days ago.

        If OP wants to upgrade their encryption to argon2id to match a fresh Endeavour install, they won’t be able to do it with Grub. That said if they’re using Grub right now, nothing would’ve changed in terms of security whether they installed last week or today because the Endeavour change only affects systemd-boot installs.