search

longhorn / longhorn

Cloud-Native distributed storage built on and for Kubernetes
https://longhorn.io
Apache License 2.0
6.12k stars 601 forks source link

[FEATURE] Support for more LUKS2 encryption options for Argon2id #9478

Open Silvest89 opened 1 month ago

Silvest89 commented 1 month ago

Is your feature request related to a problem? Please describe (👍 if you like this request)

Currently Longhorn supports argon2i through the luks format. However for argon2id more args can be used

Currently supported

apiVersion: v1
kind: Secret
metadata:
  name: longhorn-crypto
  namespace: longhorn-system
stringData:
  CRYPTO_KEY_VALUE: "Your encryption passphrase"
  CRYPTO_KEY_PROVIDER: "secret"
  CRYPTO_KEY_CIPHER: "aes-xts-plain64"
  CRYPTO_KEY_HASH: "sha256"
  CRYPTO_KEY_SIZE: "256"
  CRYPTO_PBKDF: "argon2id"

--pbkdf-memory, --pbkdf-parallel and --iter-time that makes for a more customizable argon2id encryption.

Describe the solution you'd like

Support for more luksformat options.

PhanLe1010 commented 1 month ago

cc @derekbit @ChanYiLin Do you think we should support this? I don't have much knowledge about this part it seem reasonable to support more parameters?

derekbit commented 1 month ago

cc @derekbit @ChanYiLin Do you think we should support this? I don't have much knowledge about this part it seem reasonable to support more parameters?

Supporting more options makes sense to me as well. cc @mantissahz

mantissahz commented 1 month ago

Yes, we could add these options if the cryptsetup commands or libraries support them.