Full disk encryption (including /boot) Luks2+argon2id

Hi all . Please tell me, has anyone tried installing Full disk encryption (including /boot) Luks2+argon2id?
There is very little information on this topic.

I cannot actually speak on what you are asking because I have not tried this.
(my encrypted system has an unencrypted /boot directory, which the “normal” Grub2 can handle with all available ciphers)
But perhaps the following information in the Arch Wiki is helpful:

GRUB - ArchWiki

(the “Tip” in the green box - about grub-improved-luks2-git)

systemd-boot should be another way to boot a fully encrypted system using the cipher
The Arch Wiki has info on that as well as the following example I found:

Installing Arch Linux with Full Disk Encryption - Wai Hon's Blog

1 Like

Hello . Thanks for your answer and information.

As I understand it, neither GRUB 2.12 nor GRUB 2.06 support Argon2id PBKDF; GRUB 2.06 has even more restrictions on LUKS2 support. Therefore, both GRUB 2.12 and GRUB 2.06 need some fixes for LUKS2 with Argon2id support.

Need to use AUR aur.git - AUR Package Repositories
to implement this scheme…

… that’s what I said :grin:

No custom packages needed …

That is because it is not for the faint of heart - beware of the :dragon:

I have created a proof-of-concept - it is a manual process - but it is doable - you cannot use any kind of dual-boot - of course you can skip the use of Secure Boot - but I’d recommend creating your own signed loader and apply the key to the firmware - after you have verified it works - lock the firmware with a supervisor password.

1 Like

Hello. Thank you for your answer . A lot of work has been done, I looked at the script.

Please tell me what do you think about Libreboot where Grub is located inside the ROM and this Grub supports Luks2+argon2id, that is, in this scheme you don’t even need to install Grub from the distribution, it can also encrypt the boot partition and it is possible to sign the kernel and initramfs GPG

I know very little of LibreBoot - if you buy a system with LibreBoot - good I guess

From my learning experience with the above project I have learned that one don’t need grub.

My proof of concept project includes all what previously has been next to possible to achieve with Manjaro LInux

  • no reliance on Microsoft (unless your system requires signed optional-rom image(s)
  • no boot loader - the system loads directly using a signed kernel image
  • full disk encryption using luks2 with argon2id
  • unified kernel image
  • directly signed using a custom certificate
  • signing key enrolled in the firmware

Hello . Your project and script are very useful :+1:
I found another useful tutorial on the Hyperbola website for Luks2+argon2id.
link forums.hyperbola.info/viewtopic.php?id=1010

:warning: :zap:

That tutorial is a dangerous road … big flashing :warning: :zap:

for anyone coming around this thread

  • don’t mess with flashing libreboot
  • you are in risk of bricking your device

Why is it dangerous? Can you explain? What is wrong with this instruction or what is dangerous from your point of view.

I have answered the topic question

Yes - I have - and it is - using the script provided - a piece of :cake: to implement - I went a step further and implemented a system locked down by using Secure Verified Boot. The script is perfectly safe to use - now that I have squashed the last bugs - it is now v.0.5.

You are drifting the topic towards using libre boot - I don’t know libre boot but I do know that flashing your systems core firmware may brick your device - thus the warning signs

:warning: :zap:

Libreboot is not for everybody and every system … libre boot support only a few systems.

Unless you specifically own a supported system - you should think twice and carefully research and read until you understand the process in full - also possible errors that may rise during the process and how to deal with them.

Unless you know exactly what you are doing … because you fully understand the process you exactly what the process will do because you know it is fully compatible with your system.

Last time I was researching the topic it was necessary to take the system apart and use an external flasher attached to chip - that may have gotten better with flashprog project - but still …

That is why fiddling with reflashing the system EFI should be prepended with serious warnings.


Thank you for your answer . Now I understand what you mean. No, I don’t want to change the topic, I was interested in your opinion regarding the encryption scheme.
You wrote about flashprog, but I see on the Libreboot website a flashrom utility for flashing the BIOS chip, but that’s not important))

Okay, when I have time, I’ll definitely test your script, I’m interested in how it will work.