How is Fedora booting from a LUKS2 partition with argon2id PBKDF when GRUB2 allegedly doesn't support it?

pieterd · March 16, 2025, 1:36pm

According to the Arch wiki GRUB 2.12rc1 doesn’t support LUKS2 with an argon2id password-based key derivation function yet.

However, when installing Fedora with disk encryption turned on it appears that a LUKS2 partition with argon2id gets created, GRUB2 is used, and it boots just fine. How might Fedora be pulling this off?

barryascott · March 16, 2025, 1:54pm

The LUKS2 is unlocked by the code in the initramfs not grub.

The boot sequence is

UEFI loads grub
grub loads the kernel and initramfs(?)
code in initramfs unlocks the LUKS partitions

The kernel and initramfs are not on an encrypted partition.

Topic		Replies	Views
LUKS2 encrypted boot on Fedora - how to set up correctly? Ask Fedora installation , security , selinux , luks2 , grub , cryptsetup , encrypted-boot	11	2059	July 26, 2024
System with Full Disk Encryption Stopped Offering LUKS Prompt On Boot Ask Fedora lvm , systemd , encryption , boot , luks2 , f39	53	2234	April 22, 2024
Fedora 41 Woes Ask Fedora luks2 , grub , f41	7	700	October 31, 2024
Will Fedora use Btrfs for /boot in the future? Ask Fedora f33 , btrfs	8	3671	November 25, 2020
Unlock LUKS with FIDO2 token Ask Fedora f36 , silverblue	1	1378	April 10, 2023

How is Fedora booting from a LUKS2 partition with argon2id PBKDF when GRUB2 allegedly doesn't support it?

Related topics