[Bug 2141232] [NEW] 26.04 uses an outdated version of GRUB that cannot unlock LUKS2 /boot with Argon2 (argon2i/argon2id) KDF – please update to a release that includes upstream Argon2 support

D 2141232 at bugs.launchpad.net
Sun Feb 8 13:49:13 UTC 2026 

Public bug reported:

A common setup is to use a separate encrypted /boot partition that must
be unlocked by GRUB (cryptodisk) in order to load the kernel and
initramfs; the root filesystem is then unlocked later by
initramfs/cryptsetup (optionally using a keyfile). With the current
Ubuntu 26.04 GRUB packaging snapshot, GRUB cannot unlock LUKS2 keyslots
using Argon2 KDF (argon2i / argon2id). Packaged version of GRUB supports
only much weaker PBKDF2.

Argon2 (especially Argon2id) is considered a stronger, more modern
password-based key derivation approach than PBKDF2 for protecting
encrypted volumes against offline cracking, because it is memory-hard
rather than mostly CPU-bound. This matters for encrypted /boot, where a
stolen disk enables unlimited offline guessing, and being forced to
PBKDF2 due to bootloader limitations is a real security downgrade.

Steps to reproduce

1. Create a separate LUKS2 partition for /boot with keyslot KDF = argon2id (or argon2i).
2. Install Ubuntu 26.04 (daily/devel) configured so GRUB unlocks encrypted /boot (cryptodisk).
3. Boot and enter the LUKS passphrase at the GRUB prompt.


Actual result
GRUB fails to unlock /boot when the keyslot uses Argon2 KDF (in the current snapshot, the LUKS2 decrypt path still hard-fails with “Argon2 not supported”).

Expected result
GRUB successfully derives the key using Argon2 and unlocks the LUKS2 /boot partition, then continues boot.

Additional info / evidence

1. Current Ubuntu devel packaging is based on 2.14~git20250718.0e36779
for grub2-unsigned (see package page).​ In grub-core/disk/luks2.c,
luks2_decrypt_key() returns ‘Argon2 not supported’ for Argon2 KDF type.”

2. There is an upstream grub-devel patch series adding Argon2 KDF support for LUKS2 (e.g. “disk/luks2: Add Argon2 support”).​
    Upstream thread: https://www.mail-archive.com/grub-devel@gnu.org/msg41723.html​

Request
Please update Ubuntu 26.04 GRUB (grub2-unsigned) to a version (upstream 2.14 release tarball or newer snapshot) that includes LUKS2 Argon2 KDF unlock support for cryptodisk.

Additional info:
Package page: https://launchpad.net/ubuntu/+source/grub2-unsigned

** Affects: grub2-unsigned (Ubuntu)
     Importance: Undecided
         Status: New

** Package changed: grub2-signed (Ubuntu) => grub2-unsigned (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-unsigned in Ubuntu.
https://bugs.launchpad.net/bugs/2141232

Title:
  26.04 uses an outdated version of GRUB that cannot unlock LUKS2 /boot
  with Argon2 (argon2i/argon2id) KDF – please update to a release that
  includes upstream Argon2 support

Status in grub2-unsigned package in Ubuntu:
  New

Bug description:
  A common setup is to use a separate encrypted /boot partition that
  must be unlocked by GRUB (cryptodisk) in order to load the kernel and
  initramfs; the root filesystem is then unlocked later by
  initramfs/cryptsetup (optionally using a keyfile). With the current
  Ubuntu 26.04 GRUB packaging snapshot, GRUB cannot unlock LUKS2
  keyslots using Argon2 KDF (argon2i / argon2id). Packaged version of
  GRUB supports only much weaker PBKDF2.

  Argon2 (especially Argon2id) is considered a stronger, more modern
  password-based key derivation approach than PBKDF2 for protecting
  encrypted volumes against offline cracking, because it is memory-hard
  rather than mostly CPU-bound. This matters for encrypted /boot, where
  a stolen disk enables unlimited offline guessing, and being forced to
  PBKDF2 due to bootloader limitations is a real security downgrade.

  Steps to reproduce

  1. Create a separate LUKS2 partition for /boot with keyslot KDF = argon2id (or argon2i).
  2. Install Ubuntu 26.04 (daily/devel) configured so GRUB unlocks encrypted /boot (cryptodisk).
  3. Boot and enter the LUKS passphrase at the GRUB prompt.

  
  Actual result
  GRUB fails to unlock /boot when the keyslot uses Argon2 KDF (in the current snapshot, the LUKS2 decrypt path still hard-fails with “Argon2 not supported”).

  Expected result
  GRUB successfully derives the key using Argon2 and unlocks the LUKS2 /boot partition, then continues boot.

  Additional info / evidence

  1. Current Ubuntu devel packaging is based on 2.14~git20250718.0e36779
  for grub2-unsigned (see package page).​ In grub-core/disk/luks2.c,
  luks2_decrypt_key() returns ‘Argon2 not supported’ for Argon2 KDF
  type.”

  2. There is an upstream grub-devel patch series adding Argon2 KDF support for LUKS2 (e.g. “disk/luks2: Add Argon2 support”).​
      Upstream thread: https://www.mail-archive.com/grub-devel@gnu.org/msg41723.html​

  Request
  Please update Ubuntu 26.04 GRUB (grub2-unsigned) to a version (upstream 2.14 release tarball or newer snapshot) that includes LUKS2 Argon2 KDF unlock support for cryptodisk.

  Additional info:
  Package page: https://launchpad.net/ubuntu/+source/grub2-unsigned

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2141232/+subscriptions

More information about the foundations-bugs mailing list