Ask Your Question
2

Convert Luks1 to Luks2: is it risky?

asked 2018-11-14 09:13:02 -0500

heliosstyx gravatar image

I read that Fedora uses now LUKS2 encryption by default. All my disks are LUKS1 encrypted. Makes it sense to convert the LUKS1 disks (/home) etc. to LUKS2? What are the risks and what would bring it to me? Are there special hardware requirements? What is the easiest way to do that? Thank you.

edit retag flag offensive close merge delete

Comments

Let me ask this: which of the features introduced in LUKS2 are you interested in that you are considering this upgrade?

So, unless you need one of the new features, the best and most secure option would be going with LUKS1.

Btw: your ‘cryptsetup’ in Fedora 28 is already 2.x (sure that doesn’t involve on-disk encryption)

florian gravatar imageflorian ( 2018-11-14 14:09:23 -0500 )edit

Also, check the issue tracker here and see if there is major LUKS2 disruptions before creating your new encryption.

florian gravatar imageflorian ( 2018-11-14 14:12:10 -0500 )edit

Other than that, as outlined in the Release Notes, make sure you have a proper backup before recreating your LUKS2: Please do not use LUKS2 without properly configured backup or in production systems that need to be compatible with older systems.

florian gravatar imageflorian ( 2018-11-14 14:15:39 -0500 )edit

Should I make an answer out of all these comments? Too bad that function has been removed.

florian gravatar imageflorian ( 2018-11-14 14:16:48 -0500 )edit

Also, take a look at this: https://gitlab.com/cryptsetup/cryptse...

florian gravatar imageflorian ( 2018-11-14 14:20:10 -0500 )edit

2 Answers

Sort by » oldest newest most voted
1

answered 2018-11-15 08:37:12 -0500

florian gravatar image

The safest method possible is to stick to the LUKS1 encryption that Fedora 28 chose for you when you created the setup and installed Fedora 28.

LUKS2 has some new features but if you don't need then, simply stick to what you have. You really don't want to hit a problem or bug with an on-disk encryption, and LUKS2 seems fairly new.

edit flag offensive delete link more

Comments

Thank you @florian. I will do that. I am sure that is the best way to stay safe without any issues.

heliosstyx gravatar imageheliosstyx ( 2018-11-15 11:45:57 -0500 )edit
0

answered 2018-11-15 06:45:31 -0500

heliosstyx gravatar image

updated 2018-11-15 07:01:16 -0500

@florian: thank you for your well structured answer. I want to use for disk-encryption the safest method generally if possible. The cryptsetup luksDump... command shows LUKS version 1 for my encrypted partitions . I am a little bit confused, because I installed Fedora 28 in March with a standard installation using LUKS for my /home-partition (ext4, LUKS). There were no options to using LUKS2. I am using now Fedora 29: Why does Fedora does not using LUKS2 as standard here?. Yes, please put your comments in one answer.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-11-14 09:13:02 -0500

Seen: 835 times

Last updated: Nov 15 '18