Hi!
I use Calamares full disk encryption on my systems. I know that with recent 5.7 ISOs release that feature was disabled temporarly. So what's the current status of it? I really need it. Any workarounds? :)
So after further investigation (see references below) it seems the current scenario is, please correct me if I'm wrong:
1. Calamares uses cryptsetup to encrypt;
2. Cryptsetup (currently version 2.1.0 on Debian testing) defaults to LUKS2;
3. GRUB currently only suppports LUKS1 and no other bootloader supports LUKS2 yet;
4. From the former, full-disk encryption with current Calamares/cryptsetup will always fail!
Solutions or workarounds:
a. Wait for GRUB to support LUKS2, if and when it will support it;
b. Explicitly use LUKS1 for /boot encryption (on Calamares?) with option "--type luks1" (the partition that GRUB loads/decrypts);
c. Replace Debian's cryptsetup by a custom built version with option "--with-default-luks-format=LUKS1" to default to LUKS1.
So (a.) isn't desirable and I don't know how easy it is to workaround Calamares with (b.). Perhaps the current best approach will be (c.) to Sparkylinux build and hold a custom cryptsetup package built with option "--with-default-luks-format=LUKS1, until (a.) or (b.) are resolved.
What do you guys think?
https://gitlab.com/cryptsetup/cryptsetup/blob/master/docs/v2.1.0-ReleaseNotes
https://github.com/calamares/calamares/issues/1096
https://github.com/calamares/calamares/issues/1099
https://savannah.gnu.org/bugs/?55093
@pavroo Any toughts on this matter?
The full dist encrypion workded fine up to Sparky version 5.6 and still works on Sparky stable 4.9.
I removed the full encrypion from Calamres in Sparky 5.7, and waiting for Debian devs move; I think, after releasing Debian Buster stable, they will fix that for Sid and then move to new testing repos.
Anyway, I got update of grub yestarday, which installed libefivar and libefiboot (on bios machine), but did not check it out does it solve anything.
Hi! Thank you for replying, @pavroo
I just would like to let you know that no bother waiting for Debian, it's upstream GRUB that has to fully support LUKS2. Whenever and if that happens. So it's not up to Debian to solve it. Also Debian does not use Calamares and doesn't offer full-disk encryption (/boot included) on Debian installer. It's explained well if you read through the references links I posted.
If you'd like to workaround it, as a temporary solution, until GRUB supports LUKS2 [option (a.) on my post] you currently have two options:
b. Setup Calamares to force cryptsetup to use LUKS1 (compatible with GRUB);
c. Replace Debian's crypsetup by a custom built package (defaulting to LUKS1);
As a hint, the guys at Manjaro and Q4OS distros have already opted with (b.) and configured Calamares to use LUKS1 while preserving cryptsetup untouched and released newer ISOs with it. This seems the best option currently. It works out of the box. I hope this helps you in any way.
Fixed, temporary downgraded cryptsetup to version 2.0.x.
New iso images 5.7.1 with full disk encryption via Calamares already uploaded to mirrors.
That should work, although not the better option, probably. All the bug fixes and features released since that version and future updates won't be available and that may lead to issues or breaks for some users/systems. The cleaner workaround would be to:
b. Setup Calamares to force cryptsetup to use LUKS1 for encryption install (with option "--type luks1");
This way the cryptsetup package isn't altered and updates normally.
Also I noticed that on my current already installed Sparky system, cryptsetup was forcefully downgraded from debian's "2.1.0-2" to the "2.0.4-2ubuntu2" version from the sparkylinux repo. Not good! :(
As I said before, it was temporary, so make system upgrade to get the latest version of cryptsetup back now.
Ah, ok got it. You did it only for building the ISO. Updated now. Thanks! :)