Comment 1 for bug 1949197
Revision history for this message
| Nikos Mavrogiannopoulos (nmavrogiannopoulos) wrote | #1 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
9199653
demo site
(Get the code!)
To provide more context in terms of business need. We use cryptsetup for full disk encryption, and cryptsetup correctly delegates its cryptography to other components such as openssl and kernel. However for key derivation cryptsetup switched to argon in 18.04 via a 3rd party library, and as this is not a FIPS validated library (as well as the algorithm is prohibited), the problem starts.
To comply with the regulations we need to be offering PBKDF by default because disk encryption currently is done at the installer that is not aware of the FIPS mode. It may be possible for the user to override, and cryptsetup should continue to be able to decrypt old volumes that use argon2 of course.
The ideal state is that in FIPS mode, cryptsetup should not allow to create a new volume with argon2, though it should be able to use it (see here about detecting fips mode https:/
Note that there is an --enable-fips flag that may be helpful towards that goal, though I haven't verified.