I read that Fedora uses now LUKS2 encryption by default. All my disks are LUKS1 encrypted. Makes it sense to convert the LUKS1 disks (/home) etc. to LUKS2? What are the risks and what would bring it to me? Are there special hardware requirements? What is the easiest way to do that? Thank you.
The safest method possible is to stick to the LUKS1 encryption that Fedora 28 chose for you when you created the setup and installed Fedora 28.
LUKS2 has some new features but if you don't need then, simply stick to what you have. You really don't want to hit a problem or bug with an on-disk encryption, and LUKS2 seems fairly new.
Thank you @florian. I will do that. I am sure that is the best way to stay safe without any issues.
@florian: thank you for your well structured answer. I want to use for disk-encryption the safest method generally if possible. The cryptsetup luksDump... command shows LUKS version 1 for my encrypted partitions . I am a little bit confused, because I installed Fedora 28 in March with a standard installation using LUKS for my /home-partition (ext4, LUKS). There were no options to using LUKS2. I am using now Fedora 29: Why does Fedora does not using LUKS2 as standard here?. Yes, please put your comments in one answer.
Asked: 2018-11-14 09:13:02 -0600
Seen: 1,788 times
Last updated: Nov 15 '18
Ask Fedora is community maintained and Red Hat or Fedora Project is not responsible for content. Content on this site is licensed under a CC-BY-SA 3.0 license.
Let me ask this: which of the features introduced in LUKS2 are you interested in that you are considering this upgrade?
So, unless you need one of the new features, the best and most secure option would be going with LUKS1.
Btw: your ‘cryptsetup’ in Fedora 28 is already 2.x (sure that doesn’t involve on-disk encryption)
Also, check the issue tracker here and see if there is major LUKS2 disruptions before creating your new encryption.
Other than that, as outlined in the Release Notes, make sure you have a proper backup before recreating your LUKS2: Please do not use LUKS2 without properly configured backup or in production systems that need to be compatible with older systems.
Should I make an answer out of all these comments? Too bad that function has been removed.
Also, take a look at this: https://gitlab.com/cryptsetup/cryptse...