#!/bin/bash # LUKS KDF configuration hook - Convert PBKDF2 to Argon2id # Addresses FINDING-005: Argon2id KDF not explicitly configured # # Debian partman-crypto does not support preseed configuration for KDF type. # Default LUKS2 uses PBKDF2. This hook creates tools for user-initiated # conversion to Argon2id (more resistant to GPU-based attacks). # # Reference: PRD.md FR-001, security-model.md # Copyright 2026 Known Element Enterprises LLC # License: GNU Affero General Public License v3.0 only set -euo pipefail echo "Configuring LUKS KDF optimization tools..." # Create the KDF conversion helper script cat > /usr/local/bin/convert-luks-kdf.sh <<'SCRIPT' #!/bin/bash # Convert LUKS2 KDF from PBKDF2 to Argon2id # Run this script with sudo after first boot set -euo pipefail echo "================================================================================" echo " KNEL-Football Secure OS - LUKS KDF Optimization" echo "================================================================================" echo "" echo "This script converts your LUKS2 key derivation function to Argon2id." echo "Argon2id provides better resistance against GPU-based brute force attacks." echo "" echo "You will need to enter your encryption passphrase." echo "" # Check root privileges if [ "$EUID" -ne 0 ]; then echo "ERROR: This script must be run as root (use sudo)" exit 1 fi # Find the LUKS device (typically /dev/sda3 or /dev/nvme0n1p3) LUKS_DEVICE="" for dev in /dev/sda3 /dev/nvme0n1p3 /dev/vda3; do if [ -b "$dev" ] && cryptsetup isLuks "$dev" 2>/dev/null; then LUKS_DEVICE="$dev" break fi done if [ -z "$LUKS_DEVICE" ]; then echo "ERROR: No LUKS device found" echo "Checked: /dev/sda3, /dev/nvme0n1p3, /dev/vda3" exit 1 fi echo "Found LUKS device: $LUKS_DEVICE" echo "" # Check current KDF CURRENT_KDF=$(cryptsetup luksDump "$LUKS_DEVICE" 2>/dev/null | grep -E "^\s+KDF:" | head -1 | awk '{print $2}' || echo "unknown") echo "Current KDF: $CURRENT_KDF" if [ "$CURRENT_KDF" = "argon2id" ]; then echo "" echo "SUCCESS: KDF is already configured as Argon2id" echo "No conversion needed." # Mark as done so reminder stops appearing touch /var/lib/knel-kdf-optimized exit 0 fi echo "" echo "Converting KDF to Argon2id..." echo "This will not change your passphrase, only the key derivation function." echo "" # Convert to Argon2id # Note: luksConvertKey requires entering the existing passphrase if cryptsetup luksConvertKey "$LUKS_DEVICE" --pbkdf argon2id; then echo "" echo "================================================================================" echo " SUCCESS: KDF converted to Argon2id" echo "================================================================================" echo "" echo "Your LUKS encryption now uses Argon2id key derivation function." echo "This provides better protection against brute force attacks." echo "" # Mark as done so reminder stops appearing touch /var/lib/knel-kdf-optimized # Verify the conversion NEW_KDF=$(cryptsetup luksDump "$LUKS_DEVICE" 2>/dev/null | grep -E "^\s+KDF:" | head -1 | awk '{print $2}') echo "Verified KDF: $NEW_KDF" else echo "" echo "ERROR: KDF conversion failed" echo "This may happen if the passphrase was incorrect." echo "Your encryption is still working with the previous KDF." exit 1 fi SCRIPT chmod +x /usr/local/bin/convert-luks-kdf.sh # Create login reminder for the user cat > /etc/profile.d/knel-kdf-reminder.sh <<'REMINDER' #!/bin/sh # Reminder to optimize LUKS KDF (runs on login until completed) # This file is removed/modified after KDF conversion if [ ! -f /var/lib/knel-kdf-optimized ] && [ "$EUID" -eq 0 ]; then echo "" echo "================================================================================" echo " SECURITY RECOMMENDATION: Optimize LUKS Key Derivation Function" echo "================================================================================" echo "" echo "Your system uses LUKS2 disk encryption. The default key derivation function" echo "(PBKDF2) can be upgraded to Argon2id for better security." echo "" echo "To upgrade, run:" echo " sudo /usr/local/bin/convert-luks-kdf.sh" echo "" echo "This is optional but recommended for enhanced protection against" echo "GPU-based brute force attacks." echo "" fi REMINDER chmod +x /etc/profile.d/knel-kdf-reminder.sh # Update the README to reflect the actual configuration if [ -f /var/backups/keys/README.txt ]; then sed -i 's/- KDF: Argon2id/- KDF: Argon2id (run \/usr\/local\/bin\/convert-luks-kdf.sh to enable)/' /var/backups/keys/README.txt 2>/dev/null || true fi echo "LUKS KDF optimization tools configured." echo "Helper script: /usr/local/bin/convert-luks-kdf.sh" echo "User reminder: /etc/profile.d/knel-kdf-reminder.sh"