Welcome to SparkyLinux forums
Zapraszamy również na polsko-języczne Forum https://forum.linuxiarze.pl

[solved] Calamares full-disk encryption status?

Started by jotapesse, March 28, 2019, 09:59:27 AM

Previous topic - Next topic

jotapesse

Hi!

I use Calamares full disk encryption on my systems. I know that with recent 5.7 ISOs release that feature was disabled temporarly. So what's the current status of it? I really need it. Any workarounds? :)
jotapesse - Obrigado / Thank you.

jotapesse

#1
So after further investigation (see references below) it seems the current scenario is, please correct me if I'm wrong:

1. Calamares uses cryptsetup to encrypt;
2. Cryptsetup (currently version 2.1.0 on Debian testing) defaults to LUKS2;
3. GRUB currently only suppports LUKS1 and no other bootloader supports LUKS2 yet;
4. From the former, full-disk encryption with current Calamares/cryptsetup will always fail!

Solutions or workarounds:

a. Wait for GRUB to support LUKS2, if and when it will support it;
b. Explicitly use LUKS1 for /boot encryption (on Calamares?) with option "--type luks1" (the partition that GRUB loads/decrypts);
c. Replace Debian's cryptsetup by a custom built version with option "--with-default-luks-format=LUKS1" to default to LUKS1.

So (a.) isn't desirable and I don't know how easy it is to workaround Calamares with (b.). Perhaps the current best approach will be (c.) to Sparkylinux build and hold a custom cryptsetup package built with option "--with-default-luks-format=LUKS1, until (a.) or (b.) are resolved.

What do you guys think?

https://gitlab.com/cryptsetup/cryptsetup/blob/master/docs/v2.1.0-ReleaseNotes
https://github.com/calamares/calamares/issues/1096
https://github.com/calamares/calamares/issues/1099
https://savannah.gnu.org/bugs/?55093
jotapesse - Obrigado / Thank you.

jotapesse

jotapesse - Obrigado / Thank you.

pavroo

The full dist encrypion workded fine up to Sparky version 5.6 and still works on Sparky stable 4.9.
I removed the full encrypion from Calamres in Sparky 5.7, and waiting for Debian devs move; I think, after releasing Debian Buster stable, they will fix that for Sid and then move to new testing repos.

Anyway, I got update of grub yestarday, which installed libefivar and libefiboot (on bios machine), but did not check it out does it solve anything.
Nothing is easy as it looks. Danielle Steel

jotapesse

#4
Hi! Thank you for replying, @pavroo

I just would like to let you know that no bother waiting for Debian, it's upstream GRUB that has to fully support LUKS2. Whenever and if that happens. So it's not up to Debian to solve it. Also Debian does not use Calamares and doesn't offer full-disk encryption (/boot included) on Debian installer. It's explained well if you read through the references links I posted.

If you'd like to workaround it, as a temporary solution, until GRUB supports LUKS2 [option (a.) on my post] you currently have two options:
b. Setup Calamares to force cryptsetup to use LUKS1 (compatible with GRUB);
c. Replace Debian's crypsetup by a custom built package (defaulting to LUKS1);

As a hint, the guys at Manjaro and Q4OS distros have already opted with (b.) and configured Calamares to use LUKS1 while preserving cryptsetup untouched and released newer ISOs with it. This seems the best option currently. It works out of the box. I hope this helps you in any way.
jotapesse - Obrigado / Thank you.

pavroo

Fixed, temporary downgraded cryptsetup to version 2.0.x.
New iso images 5.7.1 with full disk encryption via Calamares already uploaded to mirrors.
Nothing is easy as it looks. Danielle Steel

jotapesse

That should work, although not the better option, probably. All the bug fixes and features released since that version and future updates won't be available and that may lead to issues or breaks for some users/systems. The cleaner workaround would be to:

b. Setup Calamares to force cryptsetup to use LUKS1 for encryption install (with option "--type luks1");

This way the cryptsetup package isn't altered and updates normally.
jotapesse - Obrigado / Thank you.

jotapesse

Also I noticed that on my current already installed Sparky system, cryptsetup was forcefully downgraded from debian's "2.1.0-2" to the "2.0.4-2ubuntu2" version from the sparkylinux repo. Not good! :(
jotapesse - Obrigado / Thank you.

pavroo

As I said before, it was temporary, so make system upgrade to get the latest version of cryptsetup back now.
Nothing is easy as it looks. Danielle Steel

jotapesse

Ah, ok got it. You did it only for building the ISO. Updated now. Thanks! :)
jotapesse - Obrigado / Thank you.

View the most recent posts on the forum