[Bug 2100555] [NEW] [Feature Request] Allow changing PBKDF in dm_crypt storage module for FIPS compliance

Ryan Stewart 2100555 at bugs.launchpad.net
Thu Feb 27 19:58:21 UTC 2025 

Public bug reported:

Currently, there is no way to configure the PBKDF for dmcrypt when
running cryptsetup [1]. However, it is possible to do [2]. The default
PBKDF is Argon2i, which is not currently FIPS 140-3 compliant. This
means users of 22.04 FIPS will not be able to autoinstall in a compliant
manner without additional steps [3].

I propose that we allow users to set this flag to one of the available
algorithms and pass this as a cli options in the creation that I linked.

---
[1] https://github.com/canonical/curtin/blob/master/curtin/commands/block_meta.py#L1702C1-L1710C61
[2] https://manpages.ubuntu.com/manpages/jammy/en/man8/cryptsetup.8.html
[3] https://ubuntu.com/security/certifications/docs/2204/fips#p-99917-fips-and-full-disk-encryption

** Affects: curtin
     Importance: Undecided
         Status: New

** Affects: subiquity (Ubuntu)
     Importance: Undecided
         Status: New

** Also affects: ubuntu
   Importance: Undecided
       Status: New

** Also affects: subiquity (Ubuntu)
   Importance: Undecided
       Status: New

** No longer affects: ubuntu

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to curtin.
https://bugs.launchpad.net/bugs/2100555

Title:
  [Feature Request] Allow changing PBKDF in dm_crypt storage module for
  FIPS compliance

Status in curtin:
  New
Status in subiquity package in Ubuntu:
  New

Bug description:
  Currently, there is no way to configure the PBKDF for dmcrypt when
  running cryptsetup [1]. However, it is possible to do [2]. The default
  PBKDF is Argon2i, which is not currently FIPS 140-3 compliant. This
  means users of 22.04 FIPS will not be able to autoinstall in a
  compliant manner without additional steps [3].

  I propose that we allow users to set this flag to one of the available
  algorithms and pass this as a cli options in the creation that I
  linked.

  ---
  [1] https://github.com/canonical/curtin/blob/master/curtin/commands/block_meta.py#L1702C1-L1710C61
  [2] https://manpages.ubuntu.com/manpages/jammy/en/man8/cryptsetup.8.html
  [3] https://ubuntu.com/security/certifications/docs/2204/fips#p-99917-fips-and-full-disk-encryption

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/2100555/+subscriptions

More information about the foundations-bugs mailing list