A few weeks ago I reinstalled my Manjaro system from scratch (wiped partitions and full reinstall). I noticed today that my two encrypted partitions are using the LUKS1 on-disk format instead of LUKS2. (snip):
type: LUKS1
cipher: aes-xts-plain64
keysize: 512 [bits]
key location: dm-crypt
Shouldn’t it be using the LUKS2 on-disk format instead? any idea why this happened?
Thanks
I never use encryption and so cannot give a detailed response. However, in as much as I am aware, Calamares and Grub only support LUKS1 in this instance.
There are a few forum topics that examine this to a greater depth, if you will search for them; failing that, others may be able to offer a deeper dive.
Regards.
Thanks for the reply.
You’re right, the issue is related with Calamares.
I just found a similar discussion here:
It is limitation in the installer framework.
But if you are capable, I have written in a guide on changing from LUKS1 and grub to LUKS2 and unified kernel.
In fact I am working on version that does not imply a dual-boot scenario with secure boot enabled.
Grub cannot
(could not - not sure about the status now)
handle decryption of Luks2.
If you switch to systemd-boot instead of Grub, you can convert your Luks1 volume to Luks2.
Otherwise you might have a problem booting your system afterwards … 
You could also make /boot unencrypted - then that problem would also not be present.
The conversion from Luks1 to Luks2 is not the problem - the boot-loader is, whether it can work with Luks2 …
It can, see GRUB - ArchWiki
It looks bit unstable and the warning indicate that it should be used as of now.
(See the LUKS2 chapter GRUB - ArchWiki and the discussion: Talk:GRUB - ArchWiki)
Could you please provide some feedback on this
The grub available via the AUR can - has been patched to support luks2 and the encryption algorithms.
Not sure if I can read that as: the “normal” grub from the repos can do that.
https://wiki.archlinux.org/title/GRUB#LUKS2
One could try - and fix it via chroot if it doesn’t work.
I’d simply switch to systemd-boot - as I in fact did.
Great! Thanks for all the feedback! For sure all these details will help others.
I’ll read a more in detail all this information and will decide what to do, if switch to LUKS2 using GRUB or try systemd-boot.
One very annoying thing I had in the past (not sure if with the recent install is still present) is that grub took a while to open and boot from the encrypted partition, like 10 seconds. If this is still present then I’ll consider systemd-boot, which is not affected by this as far as I know.
It is.
The reason is not Luks1 vs Luks2, the reason is that Grub only runs a single thread on a single core - and thus the decryption process can take quite a long time.
Plus:
you only have one chance to get the password right, you won’t be asked again but have to start over