git.ipfire.org Git - thirdparty/systemd.git/commit

author	Nandakumar Raghavan <naraghavan@microsoft.com>
	Mon, 6 Apr 2026 10:42:51 +0000 (10:42 +0000)
committer	Luca Boccassi <luca.boccassi@gmail.com>
	Sat, 18 Apr 2026 10:03:52 +0000 (11:03 +0100)
commit	fa6eb2e016a53d741ec48a784a8ea075ec3d4fe0
tree	2592aaeaa73833a26f92a077c79936deca244ff7	tree \| snapshot
parent	2a6e40c2f551f2ad4bfecb5be5aac990a565a6b3	commit \| diff

repart: add EncryptKDF= option for LUKS2 partitions

systemd-repart currently creates LUKS2 encrypted partitions using
libcryptsetup's default KDF (Argon2id), which requires ~1GB of memory
during key derivation. This is too much for memory-constrained
environments such as kdump with limited crashkernel memory, where
luksOpen fails due to insufficient memory.

Add an EncryptKDF= option to repart.d partition definitions that allows
selecting the KDF type. Supported values are:

- "argon2id" — Argon2id with libcryptsetup-benchmarked parameters
- "pbkdf2"  — PBKDF2 with libcryptsetup-benchmarked parameters
- "minimal" — PBKDF2 with SHA-512, 1000 iterations, no benchmarking,
  matching the existing cryptsetup_set_minimal_pbkdf() behaviour used
  for TPM2-sealed keys

When not specified, the libcryptsetup default (argon2id) is used,
preserving existing behaviour.

The KDF type is applied via sym_crypt_set_pbkdf_type() after
sym_crypt_format() and before any keyslots are added.

man/repart.d.xml		diff \| blob \| blame \| history
src/repart/repart.c		diff \| blob \| blame \| history