Follow-up Comment #15, bug #55093 (project grub):
One thing that I haven't seen mentioned anywhere (not in the commit that added
LUKS2 support, not in ArchWiki or other places) is that not only does the
keyslot need to be PBKDF2, but it also needs to use a sha256 hash and/or the
keyslot hash has to be equal to the AF hash. Keyslot=sha512, AF=sha256 didn't
work. I didn't try with both as sha256, but someone reported it worked for
them: https://wiki.archlinux.org/title/Talk:GRUB#LUKS2_in_2.12rc1
When I tried converting to LUKS1 with "cryptsetup convert", cryptsetup also
refused to convert as it said the keyslot parameters were incompatible, but
didn't say which parameter exactly. I went and read the cryptsetup source and
found that it requires that the keyslot hash equals the AF hash. So after I
changed the keyslot to sha256 to be the same as the AF, I could convert to
LUKS1 and could boot from it. This was with grub 2.06-13+deb12u1. I didn't try
LUKS2 with sha256 and this grub version yet.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?55093>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
