Package: cryptsetup Version: 2:2.1.0-1 Severity: important Dear Maintainer,
Currently the new cryptsetup defaults to LUKS2 format with the following parameters: Default PBKDF for LUKS2: argon2i Iteration time: 2000, Memory required: 1048576kB, Parallel threads: 4 Meaning that 1GB of RAM is required at luksOpen. This is a significant RAM increase compared to the previous defaults used in LUKS1. Meaning that many devices will no longer be able to installs afresh, using full-disk encryption. For example many IoT and Pi devices have 1GB of ram in total, and thus would OOM kill when trying to luksOpen. Please consider reducing the default memory requirement of the argon2i in luks2 by default, or switching to pbkdf2 for LUKS2 as well. If there are multiple encrypted datavolumes, unlocked automatically with crypttab, under systemd, they would be unlocked in parallel, meaning peak memory requirement would be 1GB*N on boot for those systems. I think it is unfortunate to not support default encryption on 1GB big devices and VMs. I have filed a similar bug report in Ubuntu as well just now: https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1820049 Regards, Dimitri.
