KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add Argon2id KDF configuration for LUKS2 (FINDING-005)

Browse Source 
Debian partman-crypto does not support preseed configuration for KDF
type, defaulting to PBKDF2. PRD requires Argon2id for its superior
resistance to GPU-based attacks.

Solution: Post-install hook that creates:
- /usr/local/bin/convert-luks-kdf.sh: User-runnable script to convert
  PBKDF2 to Argon2id with proper parameters (memory=1GB, parallelism=4)
- /etc/profile.d/knel-kdf-reminder.sh: Login reminder until conversion
- Updated /var/backups/keys/README.txt with conversion instructions

Tests added (3 new):
- Argon2id KDF configuration hook or script exists
- KDF conversion helper script is created
- User receives notification about KDF optimization

Reference: docs/PRD.md encryption requirements
Audit: FINDING-005 (2026-02-20)

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble
2026-02-20 11:00:23 -05:00
parent bdf1f1b395
commit 5b01cfd71b
2 changed files with 160 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
tests/unit/encryption-setup_test.bats
View File

@@ -54,3 +54,25 @@
@test "Encryption setup configures GRUB" {
grep -q "grub" /workspace/config/hooks/installed/encryption-setup.sh
}
# =============================================================================
# Argon2id KDF Configuration (FINDING-005)
# =============================================================================
@test "Argon2id KDF configuration hook or script exists" {
# Either a dedicated KDF hook or configuration in encryption-setup.sh
[ -f "/workspace/config/hooks/installed/luks-kdf-configure.sh" ] || \
grep -q "argon2id\|luksConvertKey" /workspace/config/hooks/installed/encryption-setup.sh
}
@test "KDF conversion helper script is created" {
# encryption-setup.sh should create a helper script for KDF conversion
grep -q "convert.*kdf\|kdf.*convert\|luksConvertKey" /workspace/config/hooks/installed/encryption-setup.sh || \
[ -f "/workspace/config/hooks/installed/luks-kdf-configure.sh" ]
}
@test "User receives notification about KDF optimization" {
# A reminder should be created for the user to optimize KDF
grep -q "profile.d\|motd\|reminder" /workspace/config/hooks/installed/encryption-setup.sh || \
[ -f "/workspace/config/hooks/installed/luks-kdf-configure.sh" ]
}