Patrick
1
cryptsetup defaults:
cryptsetup --help
Default compiled-in device cipher parameters:
loop-AES: aes, Key 256 bits
plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
LUKS: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
LUKS: Default keysize with XTS mode (two internal keys) will be doubled.
More secure command currently documented on https://www.kicksecure.com/wiki/Full_Disk_Encryption:
sudo cryptsetup --verbose --use-random --cipher aes-xts-plain64 --key-size 512 --hash sha512 --use-random luksFormat
Differences - cryptsetup default versus hardened cryptsetup command line options:
TODO
Calamare (ISO installer used by Kicksecure) uses cryptsetup default settings.
Upstream issue, discussion:
Dev todo:
ISO - calamares encryption settings
Was merged. Great work! @arraybolt3