I was wondering if I'm the only one whos system just broke down because of the Artix-Installation guide to full encryption?
It states there:
# [CaseA]
cryptsetup --verbose --type luks1 --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 10000 --use-random --verify-passphrase luksFormat /dev/sdX2
# [CaseB]
cryptsetup --verbose --type luks1 --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 10000 --use-random --verify-passphrase luksFormat /dev/sdX1
This is bad. The whirlpool hash has been discontinued for security reason for many years now. I wasn't aware of that until tomorrow and I suppose no one is.
Also... there doesn't seem to be a way to install or even FIND cryptsetup-reencrypt for reencrypting or even removing encryption for luks1 partitions.
Yesterday was a many hour long sprint in figuring out why my fully encrypted system broke down and it seems to boil down to the whirlpool hash. Is no one else running a fully encrypted system or is artix linux on its way out?
The guide also features a link to a feedback/support forum thread maybe it would be better to request changing the hashing algorithm used in the guide there.
cryptsetup reencrypt <device> --keep-key --hash <algorithm>
Works perfectly fine (as I had to fix my install as well after following the guide).
As you saw from the thread you were active in yesterday I believe you are aware that other people ran into the same problems as you.
Thanks for the reply... so all the tutorials (I've found so far) regarding using cryptsetup-reencrypt instead of cryptsetup reencrypt for LUKS1 are outdated? I'll try that.
Hey, I hit the same issue.
I reencrypted disks to use sha512.
Because I was using keyfile to decrypt disk, I had to kill slot and add key again after reencrypting. It's still added in `FILES=()` in `mkinitcpio.conf` and I regenerated file.
After that, grub complains:
Couldn't load sha512 hash.
no such cryptodisk found.
disk 'cryptouuid/56e....' not found.
I tried to recreate grub config after that as well, but that didn't help either.
Any suggestions what should I do for grub to properly decrypt my drive?
This might be helpful: https://forum.artixlinux.org/index.php/topic,4772.msg30513/topicseen.html
Make sure to read until the end.
I am really sorry for your problems, and have replied to you (https://forum.artixlinux.org/index.php/topic,1541.new.html#info_31389) in the official support thread for this manual.
Maybe it's just you have upgraded your Artix at the unfortunate time... See: I am using a "whirlpool" installation of Artix myself and I upgrade it from time to time, but it is still working fine without any re-encryptions or any other interference. Although, for the fresh installs, I see there was an error regardless of if you are using
whirlpool or
sha512. Now I have fixed this FDE manual (https://wiki.artixlinux.org/Main/InstallationWithFullDiskEncryption) for both hashing methods, but still have decided to use
sha512@blackyy , @random_bash , @Lancia - I believe all the problems have been fixed ;)