[Feature Request] Add security options specific to LUKS2

[git70]

My dear Francis!

Motivation:

1. There was no update for a long time ;)
2. For some time for some critical applications I have to use bare cryptsetup because in ZC there is no options.
3. Since ZC 6.0.0 default has passed on LUKS2 it would be great to add the following options to GUI:

--pbkdf (so that you can choose argon2id) --pbkdf-force-iterations --pbkdf-memory --label

I suggest that these options appear dynamically in the window only for LUKS2 or were grayed out for LUKS1

Of course, as usual, I put a beer! ;)

[mhogomchungu]

Yes, its been a while and a new release should be out within two weeks.

I should be done with this maybe tomorrow or a day after.

[mhogomchungu]

This functionality is now done.

In the "create a new volume" window, select "LUKS2" as volume type and a push button to the right(picture 1 below) will become enabled and when the button is clicked, LUKS2 only options will show up as seen in picture 2 below and this place will allow you to set the options you want.

[mhogomchungu]

Closing this one as fixed but feel free to comment if anything comes up.

[git70]

Looks wonderful! Thank you friend! :) I will write a mail on beer;)

One thing wonders me: Is the Forced Iterations (--Iter-Time) switch conflict from Unlocking Time Cost (--pbkdf-force-iterations)?

[mhogomchungu]

1. "Unlocking time cost" is equivalent to "--iter-time" cryptsetup option.
2. "Forced iteration" is equivalent to "--pbkdf-force-iterations" cryptsetup option.

Yes, they do conflict and "--pbkdf-force-iterations" option clears out ""--iter-time" option if both are set. Cryptsetup code that does the clearing is here[1] and in zuluCrypt it is here[2]. zuluCrypt copies crysetup behavior.

[1] https://gitlab.com/cryptsetup/cryptsetup/-/blob/master/src/utils_luks.c#L131-L135

[2] https://github.com/mhogomchungu/zuluCrypt/blob/332ae4cd7057a57259bf8d47d7670f0ba31541cc/zuluCrypt-cli/lib/create_luks.c#L518-L523

[git70]

The test showed such a visual problem:

[git70]

One more thing:

Is the "Allow Discard (Trim)" is equivalent "cryptsetup --allow-discards"? According to the documentation, it is only associated with the "cryptsetup LuksOpen" actions and does not apply to "cryptsetup LuksFormat"

[mhogomchungu]

This should be a bug because cryptsetup CLI disallows using "--allow-discards" when creating a volume but its library API allows it.

Some flags can be stored in LUKS header and the list of flags that can be stored is documented here[1] in its library API.

You can check if the flag is set in the LUKS2 header by using "luksDump" cryptsetup option and the beginning of the output look like below when the flag is set(look at the "flags" entry).

[ink@localhost ~]$ cryptsetup luksDump aaa.img 
LUKS header information
Version:        2
Epoch:          4
Metadata area:  16384 [bytes]
Keyslots area:  16744448 [bytes]
UUID:           e1ecd5e0-a2ed-42d6-a0fc-28ad1a61b69d
Label:          (no label)
Subsystem:      (no subsystem)
Flags:          allow-discards 

[1] https://gitlab.com/cryptsetup/cryptsetup/-/blob/master/lib/libcryptsetup.h#L1246-L1266

[mhogomchungu]

I have opened a bug report and lets see what they will say about it: https://gitlab.com/cryptsetup/cryptsetup/-/issues/727

[mhogomchungu]

Update again and check if the UI problem is fixed

[git70]

Everything looks fine. Perhaps only one thing is behaving unexpectedly: Closing the "Advanced Luks2 Option" window (but if you do not want to change anything) closes the entire "Create A New Volume" at the same time.

[mhogomchungu]

It is the same window and the trick i use to re-use the same window for different purposes is to show/hide different UI elements within the window.

The window works as expected now in the git version.