ISO - cryptsetup Full Disk Encryption (FDE) - set more secure default encryption settings

cryptsetup defaults:

cryptsetup --help
Default compiled-in device cipher parameters:
        loop-AES: aes, Key 256 bits
        plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
        LUKS: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
        LUKS: Default keysize with XTS mode (two internal keys) will be doubled.

More secure command currently documented on https://www.kicksecure.com/wiki/Full_Disk_Encryption:

sudo cryptsetup --verbose --use-random --cipher aes-xts-plain64 --key-size 512 --hash sha512 --use-random luksFormat


Differences - cryptsetup default versus hardened cryptsetup command line options:

TODO


Calamare (ISO installer used by Kicksecure) uses cryptsetup default settings.

Upstream issue, discussion:

Dev todo:
ISO - calamares encryption settings

1 Like

Was merged. :partying_face: Great work! @arraybolt3