Yeah it’s alright. I’ve been using Tumbleweed on my Desktop PC for the last few months and I gotta say it’s mid. They do hard drive unlocking in Grub instead of in the initfs which means that only LUKS 1 and with that only the not-so-secure PDKDF is supported, instead of argon2id which is the modern KDF you want to use. This is a small and annoying oversight in the distros security which is why I will not be using it in the future
LUKS2 is only partially supported by GRUB; specifically, only the PBKDF2 key derivation function is implemented,
which is not the default KDF used with LUKS2, that being Argon2i (GRUB Bug 59409). LUKS encrypted partitions using
Argon2i (as well as the other KDF) can not be decrypted. For that reason, this guide only recommends LUKS1 be used.
You can fix this by manually placing the /boot partition outside of luks when you do your install. I did it and now my opensuse system boots in a reasonable time. Annoying to do but 100% worth it.
Luckily most installers support installing wherever you tell them to. So if you install from a live image you should be able to set it up the way you want. I’ll definitely try that as soon as a I do my next installation.
Yeah it’s alright. I’ve been using Tumbleweed on my Desktop PC for the last few months and I gotta say it’s mid. They do hard drive unlocking in Grub instead of in the initfs which means that only LUKS 1 and with that only the not-so-secure PDKDF is supported, instead of argon2id which is the modern KDF you want to use. This is a small and annoying oversight in the distros security which is why I will not be using it in the future
Doesn’t GRUB support LUKS2 nowadays? I know that wasn’t the case a year ago or so, but I didn’t see a notice on the Archwiki last time I checked.
Not sure how up to date this is, but it claims LUKS2 is only partially supported by GRUB https://docs.voidlinux.org/installation/guides/fde.html
You can fix this by manually placing the /boot partition outside of luks when you do your install. I did it and now my opensuse system boots in a reasonable time. Annoying to do but 100% worth it.
Luckily most installers support installing wherever you tell them to. So if you install from a live image you should be able to set it up the way you want. I’ll definitely try that as soon as a I do my next installation.