#!/bin/bash # LUKS KDF verification hook # PRD FR-001 requires Argon2id. The preseed early_command patches # partman-crypto to use --pbkdf argon2id at format time. This hook # verifies the conversion succeeded and creates fallback tools if not. # # Reference: PRD.md FR-001, security-model.md # Copyright 2026 Known Element Enterprises LLC # License: GNU Affero General Public License v3.0 only set -euo pipefail echo "Verifying LUKS KDF configuration..." # Find the LUKS device LUKS_DEVICE="" for dev in /dev/sda3 /dev/nvme0n1p3 /dev/nvme1n1p3 /dev/vda3; do if [ -b "$dev" ] && cryptsetup isLuks "$dev" 2>/dev/null; then LUKS_DEVICE="$dev" break fi done if [ -z "$LUKS_DEVICE" ] && command -v lsblk >/dev/null 2>&1; then LUKS_DEVICE=$(lsblk -lnpo NAME,FSTYPE 2>/dev/null | awk '$2 == "crypto_LUKS" {print $1; exit}') fi if [ -z "$LUKS_DEVICE" ]; then echo "WARNING: No LUKS device found for KDF verification" else echo "Found LUKS device: $LUKS_DEVICE" CURRENT_KDF=$(cryptsetup luksDump "$LUKS_DEVICE" 2>/dev/null | grep -E "^\s+KDF:" | head -1 | awk '{print $2}' || echo "unknown") echo "Current KDF: $CURRENT_KDF" if [ "$CURRENT_KDF" = "argon2id" ]; then echo "KDF verification PASSED: Argon2id confirmed" touch /var/lib/knel-kdf-optimized else echo "WARNING: KDF is $CURRENT_KDF, expected argon2id" echo "The early_command patch may not have applied." echo "Run /usr/local/bin/convert-luks-kdf.sh after first boot to convert." fi fi # Create the KDF conversion helper script cat > /usr/local/bin/convert-luks-kdf.sh <<'SCRIPT' #!/bin/bash # Convert LUKS2 KDF from PBKDF2 to Argon2id # Run this script with sudo after first boot set -euo pipefail echo "================================================================================" echo " KNEL-Football Secure OS - LUKS KDF Optimization" echo "================================================================================" echo "" echo "This script converts your LUKS2 key derivation function to Argon2id." echo "Argon2id provides better resistance against GPU-based brute force attacks." echo "" echo "You will need to enter your encryption passphrase." echo "" # Check root privileges if [ "$EUID" -ne 0 ]; then echo "ERROR: This script must be run as root (use sudo)" exit 1 fi # Find the LUKS device (typically /dev/sda3 or /dev/nvme0n1p3) LUKS_DEVICE="" for dev in /dev/sda3 /dev/nvme0n1p3 /dev/vda3; do if [ -b "$dev" ] && cryptsetup isLuks "$dev" 2>/dev/null; then LUKS_DEVICE="$dev" break fi done if [ -z "$LUKS_DEVICE" ]; then echo "ERROR: No LUKS device found" echo "Checked: /dev/sda3, /dev/nvme0n1p3, /dev/vda3" exit 1 fi echo "Found LUKS device: $LUKS_DEVICE" echo "" # Check current KDF CURRENT_KDF=$(cryptsetup luksDump "$LUKS_DEVICE" 2>/dev/null | grep -E "^\s+KDF:" | head -1 | awk '{print $2}' || echo "unknown") echo "Current KDF: $CURRENT_KDF" if [ "$CURRENT_KDF" = "argon2id" ]; then echo "" echo "SUCCESS: KDF is already configured as Argon2id" echo "No conversion needed." # Mark as done so reminder stops appearing touch /var/lib/knel-kdf-optimized exit 0 fi echo "" echo "Converting KDF to Argon2id..." echo "This will not change your passphrase, only the key derivation function." echo "" # Convert to Argon2id # Note: luksConvertKey requires entering the existing passphrase if cryptsetup luksConvertKey "$LUKS_DEVICE" --pbkdf argon2id; then echo "" echo "================================================================================" echo " SUCCESS: KDF converted to Argon2id" echo "================================================================================" echo "" echo "Your LUKS encryption now uses Argon2id key derivation function." echo "This provides better protection against brute force attacks." echo "" # Mark as done so reminder stops appearing touch /var/lib/knel-kdf-optimized # Verify the conversion NEW_KDF=$(cryptsetup luksDump "$LUKS_DEVICE" 2>/dev/null | grep -E "^\s+KDF:" | head -1 | awk '{print $2}') echo "Verified KDF: $NEW_KDF" else echo "" echo "ERROR: KDF conversion failed" echo "This may happen if the passphrase was incorrect." echo "Your encryption is still working with the previous KDF." exit 1 fi SCRIPT chmod +x /usr/local/bin/convert-luks-kdf.sh # Create login reminder for the user cat > /etc/profile.d/knel-kdf-reminder.sh <<'REMINDER' #!/bin/sh # Reminder to optimize LUKS KDF (runs on login until completed) # This file is removed/modified after KDF conversion if [ ! -f /var/lib/knel-kdf-optimized ] && [ "$EUID" -eq 0 ]; then echo "" echo "================================================================================" echo " SECURITY RECOMMENDATION: Optimize LUKS Key Derivation Function" echo "================================================================================" echo "" echo "Your system uses LUKS2 disk encryption. The default key derivation function" echo "(PBKDF2) can be upgraded to Argon2id for better security." echo "" echo "To upgrade, run:" echo " sudo /usr/local/bin/convert-luks-kdf.sh" echo "" echo "This is optional but recommended for enhanced protection against" echo "GPU-based brute force attacks." echo "" fi REMINDER chmod +x /etc/profile.d/knel-kdf-reminder.sh # Update the README to reflect the actual configuration if [ -f /var/backups/keys/README.txt ]; then sed -i 's/- KDF: Argon2id (run \/usr\/local\/bin\/convert-luks-kdf.sh to enable)/- KDF: Argon2id/' /var/backups/keys/README.txt 2>/dev/null || true fi echo "LUKS KDF configuration completed." echo "Helper script: /usr/local/bin/convert-luks-kdf.sh" if [ -f /var/lib/knel-kdf-optimized ]; then echo "Status: Argon2id ENFORCED" else echo "Status: Argon2id pending (manual conversion required on first login)" fi