Configure cryptsetup to use LUKS2

[cleeyv]

Since October 9, 2022 Calamares has added a luksGeneration option in partition.conf to enable LUKS2 support for cryptsetup. The reasons why this is important for user security are outlined in that PR:

A bit of context, LUKS2 is the default encryption operating mode since cryptsetup >= 2.1.0 [...] 
It is considered more secured and allows additional extensions. 
It also comes with Argon2id as the default Password Based Key Derivation Function (--pbkdf option). 
So it's important to provide this as an option for Calamares in order to make Linux installs more secure, 
for those who wish to encrypt their system.

Since mid-April 2023, the urgency of making the upgrade to LUKS2 has been highlighted by a report of how LUKS1 encryption can feasibly be broken and how this can only fixed by using LUKS2 (with the argon2id key derivation function, which is now the cryptsetup default for LUKS2).

Following this news, more people have been attempting to use LUKS2 on Calamares and reporting a number of bugs in issue #2129. However, as of August 6th there is a comment on this issue reporting that recent patches by the Calamares team (presumably referring to PR #2146 from June) have fixed the issues with using LUKS2, as long as the /boot partition is not encrypted.

Considering that the Calamares NixOS installer isn't encrypting /boot anyyways, it seems like it should be possible to upgrade to LUKS2. Now that there is practical upstream support for LUKS2 from Calamares, I think there is a responsibility for distributions such as NixOS to upgrade as soon as possible to reduce the number of users that are installing systems with cryptography that is known to be insecure.

[cleeyv]

I have returned to looking into this issue noticed that the current stable release of Calamares is version 3.2.62 from April 24th, while the feature to allow for choosing luks2 in the partition.conf was only alpha released in version 3.3.0-alpha3 on August 28th. Just a few days after I last looked at this!

The nixpkgs version of Calamares is the current stable release, which is reasonable. However, some other distros are distributing 3.3 alpha release versions. Notably, the two most recent interim releases of Ubuntu, in addition to a few rolling release distros. If nixpkgs followed suite and the version of Calamares were upgraded to 3.3.0-alpha3 then in theory the partition.conf for this project could be upgraded to support luks2.

[cleeyv]

I have continued with testing an upgrade of Calamares to version 3.3.0-alpha3 (with luks2 enabled in the calamares-nixos-extensions partition.conf) by following the manual instructions on how to build a live iso using the upgraded installer. I got the following error when building :

[cleeyv...nixpkgs/nixos]$ nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd-dvd/installation-cd-graphical-calamares-gnome.nix default.nix
[...]
error: builder for '/nix/store/nv01c7508368wzp74q8607fh1mnhni27-calamares-3.3.0-alpha3.drv' failed with exit code 1;
       last 10 log lines:
       > patching sources
       > applying patch /nix/store/3hsnncykh2cr60qyagrvhwix1z1z20z8-userjob.patch
       > patching file src/modules/users/Config.cpp
       > Hunk #1 succeeded at 1002 (offset 30 lines).
       > applying patch /nix/store/2h4wxx750fiw8nj3q6m3bjk630l9la1r-nixos-extensions-paths.patch
       > patching file src/calamares/main.cpp
       > Hunk #1 FAILED at 131.
       > 1 out of 1 hunk FAILED -- saving rejects to file src/calamares/main.cpp.rej
       > patching file src/libcalamares/utils/Dirs.cpp
       > patching file src/libcalamares/utils/Dirs.h
       For full logs, run 'nix log /nix/store/nv01c7508368wzp74q8607fh1mnhni27-calamares-3.3.0-alpha3.drv'.
[...]

What I take from this is that the upgrade of Calamares to any version 3.3.0-* will require updates to the patches that are required for the NixOS installer to work, so that the patches match changes to upstream files. This will be required for further work on this issue but eventually it will be required anyways once Calamares releases a stable version of 3.3.0.

[cleeyv]

The stable version of Calamares 3.3.0 was released last week: https://github.com/calamares/calamares/blob/calamares/CHANGES-3.3

[vlinkz]

Check #26 if you want to test. I think everything should be working with 3.3.0 and luks2.