Re: GNU Boot patches: update to GRUB 2.12 with various fixes

[Denis 'GNUtoo' Carikli]

On Thu, 18 Jan 2024 21:13:14 +0000
Leah Rowe <info@minifree.org> wrote:

> > This way when all still-supported distributions / LUKS
> > implementations will finally support Argon2, it will be possible to
> > enable/add support to automatically update the LUKS volumes.  
> 
> Once again, this makes no sense. I can't see the problem here.
The problem is simple: if a user install a distribution now, the
encrypted volume is usually created with LUKS2 and Argon2/Argon2id and
everything is fine.

If users use Tails or followed a guide to manually update the encrypted
volume to LUKS2 + Argon2/Argon2id, then everything is fine too.

But not everyone can/should use Tails as main distribution (it contains
nonfree firmwares for instance) and not everyone knows about the issue
or followed a guide to update the volume manually. Because of that many
people still use LUKS1 and old scheme.

And we know LUKS1 was broken by a state with a 20+ characters passphrase
(with letters, numbers, and special character(s)) precisely because of
that (the distribution was "Ubuntu 18" according to the person who got
his drive decrypted[1]). So far we have no information on how the
decryption was done as none of the documents in lawsuit mention that.

Then there is also the need to teach people that the number of
characters in passphrase isn't a good measure and that entropy is
better. Tails now advise to use at least 5 random words[2]. Updating
that info in people's mind will probably take order of magnitude longer
though, but projects like Tails or security training for activists will
probably help a lot in that regard.

References:
-----------
[1]https://paris-luttes.info/une-lettre-d-ivan-enferme-a-la-16935
[2]https://tails.net/security/argon2id/

Denis.

pgpzymwgcZ_6O.pgp
Description: OpenPGP digital signature