Debian partman-crypto does not support preseed configuration for KDF
type, defaulting to PBKDF2. PRD requires Argon2id for its superior
resistance to GPU-based attacks.
Solution: Post-install hook that creates:
- /usr/local/bin/convert-luks-kdf.sh: User-runnable script to convert
PBKDF2 to Argon2id with proper parameters (memory=1GB, parallelism=4)
- /etc/profile.d/knel-kdf-reminder.sh: Login reminder until conversion
- Updated /var/backups/keys/README.txt with conversion instructions
Tests added (3 new):
- Argon2id KDF configuration hook or script exists
- KDF conversion helper script is created
- User receives notification about KDF optimization
Reference: docs/PRD.md encryption requirements
Audit: FINDING-005 (2026-02-20)
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
5b01cfd71b