I kind of uh… Have an issue. I do have schizophrenia, and it’s due to this that it’s gotten so bad, but I’m self-aware, and am trying to work on it each day. But with that said… Each time I switch OS’, I encrypt my computer – and I encrypt it. Several orders of magnitude past what is average – typically 3,000 - 5,000 rounds of Argon2id and Sha512. You will not be able to talk me down from this. However, in typical fashion, the new OS I’m trying to install doesn’t like when I do this, lol. It takes about 10 minutes to boot up – just enough time for me to get up, go get coffee, and sit back down.
So my point being, something is going into emergency mode after I type in my password, on boot – and I don’t know which service is – At first, it was Dracut initqueue, but I believe I disabled that with rd.retry=0 and rd.timeout=0 in the boot params – And this is all that I see in the journalctl after it goes into the emergency shell; Anybody able to aid me in my stupidity? I know that it’s stupid that I’m even doing this, but… my concept is “If it’s not harming anyone, and is only minimally harming hardware, where’s the harm in letting a paranoid person sleep safe at night?”. Regardless, I’m expecting a lot of hate, but… that’s fine, and I really don’t blame you. This is outright stupid lol. Anyways, if you try to help, thank you for helping out this lost cause of a person here.
Welcome friend, We’re here to help you as much as we can.
I know you tagged luks2, but I’m more interested in how you have your setup? i can rightfully assume you are setting up Fedora manually, but would like to know if you are creating a container, then running the standard install with luks2 as well?
Can you go into some explanation as to your setup? How your luks container / partitions are set up? i think the issue is it cannot find a bootable device.
Hi! I am also interested in how you set this up. Did you also increase the memory and thread parameters of argon2id? These might give you the extra security you want without lengthening the unlock times to such extremes.
And this is probably something you know already, but argon2id is only used to generate a key from the password. So if you have a strong password you should be able to lower it to a more usable level, it doesn’t really increase the security. Using something like 10 seconds and a high value for memory and threads will already make it impossible for an attacker to crack the password without finding a flaw argon2id.
From my experience, You are absolutely right, I think there is diminishing returns here. The setup OP has is doable, but your point was exactly what I was thinking. Just didn’t communicate it. I think adding to your statement, 500 - 1000 iterations is pretty good !
Sorry, I’m here now – so I’ve been working with cryptography stuff since 2013, so I know what everything does – but it’s the very time that makes it extremely secure – If it takes 10 minutes between tries, there’s no way anybody will bea ble to brute force it. That’s my logic lmao. That said… I did echo -en (passowrd) | luksConvertKey --pbkdf argon2id --pbkdf-force-iterations 5000 --hash sha512 /dev/sdX3 && echo -en (password) | sudo cryptsetup reencrypt (same settings) /dev/sdX3
That’s how I fully reencrypted everything, due to how fedora encrypts things. I decided to switch back to Nix for a little while, until I had some people who could help, (or if none, then stay on nix) – so i’m glad to see some people trying to help out, and actually be kind to me rather than berate me for being paranoid. Thank you guys for being super
I’m willing to switch back, once we have a good idea of the boot params/thing we need to change to get me into linux, while still having the time of the encryption at hand – and I don’t mind if we need to test around a bit.
Oh, I think I forgot to mention – everything is vanilla – I couldn’t figure out how to install fedora manually, so I didn’t – I just let it ride typically, then reencrypted it after the fact. Should I start the switch back? The reencryption with 5k hashes, which I’d prefer, takes hours – how sure are you guys, that we’ll be able to find it out?
We do not do that here ! We embrace, we all have our quirks, it makes us different and special there’s always common ground and this is a cause I sympathize with.
Now, back to the nerdy stuff !
Your going to have to give me a bit here, I’m not sure you can do this with the main key ? I think you can with keys you add after??? I need to do some checking here.
I have done some stuff in the past where I create the container with luks2, then open it and create a full install inside of it, having the special parameters for keys etc.
Let me get back to you here. . . BRB
EDIT FUTURE ME
I figured you did, Most people have to use the advanced setup with blivet-gui to get more functionality ( this is how I set up my stuff IRL ).
This is where I think we have the issue. but I need to think some more.
We will ! Stay with what you have, I think there are some ways to fix, Do you have a LiveUSB ?
As for that first part… thank you. You guys are awesome. That said,
Note about that, then, since you’re gonna try to recreate – LuksConvertKey can only be done in a higher version than what Fedora provides, or soemthing like that – I do so using an Arch ISO, convert the key, then hop back on fedora then open it. So you’ll have to do it on an iso with a higher version of cryptsetup
Yes. I do have a LiveUSB – plugged up with Ventoy – I’ll reinstall Fedora on it, so we can get it all going. That said… I prefer for it to take the 10 - 15 minutes that it does. It’s just that, I’d prefer for all the “killers” and “timeouters” to be disabled, is all. Thank you. Oh, also – it works, because I can open it later. It’s just that it takes time is all
Yes, longer time is better. But you are forgetting a key factor here: parallelization.
If an attacker can do many guesses in parallel on a single machine then the total time per hash doesn’t matter that much. That’s why the memory and threads are still very important.
I’m not gonna derail us just yet. . . but we are both in the right direction as to the container creation. but with the header file etc all is possible just needs orchestration. Let me get my in a row and come back ion a bit !
Yes, longer time is better. But you are forgetting a key factor here: parallelization.
That’s very true, and a point I hadn’t thought of. And one that I’ll attempt to add onto my new reincryption installation of fedora. Thank you.
I’m not gonna derail us just yet. . . but we are both in the right direction as to the container creation. but with the header file etc all is possible just needs orchestration. Let me get my in a row and come back ion a bit !
If an attacker can do many guesses in parallel on a single machine then the total time per hash doesn’t matter that much. That’s why the memory and threads are still very important.
Is it a bad idea to ever increase the amount of threads to the max it can be? And is there a way to do that in the settings, without knowing how many threads one has? I believe I have 12, but I want to make sure. I ask, because I’m about to start reencrypting again.
I’ve tried that on fedora tty2 – it didn’t work. I don’t know why, either, but it doesn’t. That said, it’d be nice to not have to switch to the Arch ISO so often back and forth, and just stick to one, but… I don’t see it on Fedora. As in, it wasn’t an option for a command.
Your going to have to give me a bit here, I’m not sure you can do this with the main key ? I think you can with keys you add after??? I need to do some checking here.
Stay with what you have, I think there are some ways to fix, Do you have a LiveUSB ?
