Post Syndicated from original https://lwn.net/Articles/929343/

Matthew Garrett points
out that many Linux systems using encrypted disks were installed with a
relatively week key derivation function that could make it relatively easy
for a well-resourced attacker to break the encryption:

So, in these days of attackers with access to a pile of GPUs, a
purely computationally expensive KDF is just not a good
choice. And, unfortunately, the subject of this story was almost
certainly using one of those. Ubuntu 18.04 used the LUKS1 header
format, and the only KDF supported in this format is PBKDF2. This
is not a memory expensive KDF, and so is vulnerable to GPU-based
attacks. But even so, systems using the LUKS2 header format used to
default to argon2i, again not a memory expensive KDF. New versions
default to argon2id, which is. You want to be using argon2id.

The article includes instructions on how to (carefully) switch an installed
system to a more secure setup.