Until Tails 5.12 (19 April 2023), Tails created LUKS devices version 1 (LUKS1) with PBKDF2 as key derivation function, a calculation run on the passphrase before trying to unlock the encryption with the result.
PBKDF2 is now considered too weak compared to available computing power.
Some cryptographers think this weakness might have already been used against an activist in France but the actual operations by the French police are kept secret.
Since Tails 5.13 (16 May 2023), Tails creates LUKS devices version 2 (LUKS2) with Argon2id as key derivation function.
Recommend using Argon2id, not PBKDF2
Currently, we recommend using LUKS2 for FDE (hopefully, readers choose LUKS2, idk why you'd use LUKS1 on modern boxes), but do not always specify the "key derivation function", or KDF, to use or why. We should specify that LUKS2 with Argon2i is safer to protect against brute force with modern hardware. Yes, this is something that you can throw GPUs at and it will eventually work, probably. Seeing how there's already some speculation this may have been used by the French police against an activist, it's not a bad assumption that it might be used elsewhere.
Note: This does require only a small adversary, with low-to-high motivation, but also requires physical access to brute force. That, however, is within our threat model. While that doesn't require a DFD to determine our risk, consider that we recommend Veracrypt and LUKS. I don't know how many people view the guide. I don't know or care about the metrics. I do care that it's recommended even "as a last resort" in current year, when this function is heavily outdated. Hell, even the data in the pages we recommend reading are from 2018 or before..
... The method that VeraCrypt uses to generate the header key and the secondary header key (XTS mode) is PBKDF2 ...
PBKDF2 is weak against brute force attack
Strength of Argon2id compared to PBKDF2
Recommend using Argon2id, not PBKDF2
Currently, we recommend using LUKS2 for FDE (hopefully, readers choose LUKS2, idk why you'd use LUKS1 on modern boxes), but do not always specify the "key derivation function", or KDF, to use or why. We should specify that LUKS2 with Argon2i is safer to protect against brute force with modern hardware. Yes, this is something that you can throw GPUs at and it will eventually work, probably. Seeing how there's already some speculation this may have been used by the French police against an activist, it's not a bad assumption that it might be used elsewhere.
Note: This does require only a small adversary, with low-to-high motivation, but also requires physical access to brute force. That, however, is within our threat model. While that doesn't require a DFD to determine our risk, consider that we recommend Veracrypt and LUKS. I don't know how many people view the guide. I don't know or care about the metrics. I do care that it's recommended even "as a last resort" in current year, when this function is heavily outdated. Hell, even the data in the pages we recommend reading are from 2018 or before..
Give any additional relevant context
See: Tails security notes on Argon2id & their 5.14 blog post