On Tue, 25 Mar 2025 20:12:25 +0800, 45mg wrote: > > "Thomas Ieong" <th.ie...@free.fr> writes: > > > I remember that some years ago we could not use LUKS 2, has the situation > > improved? > > I'm writing this from Guix System installed on an LUKS 2 volume. So, > yes, it works now. GRUB also supports `--pbkdf argon2id` now, so you > don't have to worry about that insecurity [1] anymore.
GRUB doesn't support Argon2 at the moment. > The problem is that you still need GRUB to decrypt the volume before you > can boot, and GRUB's decryption is really slow (takes over a minute, > versus a few seconds after booting the kernel). > > What most distributions do is use something like `ukify` to generate a > bootable UEFI image that has includes the required crypto modules. There > is an open patch series that would add this to Guix [2], but it hasn't > been touched in a long time (it was split off from a larger rewrite of > the bootloader subsystem [3], which also hasn't been touched in a > while). UKI bootloader doesn't suits the multiple generation model well, the implementation depends on the reliablity of EFI firmware too much.
