Does libxcrypt migration affect LUKS passwords?

In release 22.11 of NixOS, there’s a change affecting how system login passwords are encrypted.

Software that uses the crypt password hashing API is now using the implementation provided by libxcrypt instead of glibc’s, which enables support for more secure algorithms.

Support for algorithms that libxcrypt does not consider strong are deprecated as of this release, and will be removed in NixOS 23.05.

This includes system login passwords. Given this, we strongly encourage all users to update their system passwords, as you will be unable to login if password hashes are not migrated by the time their support is removed.

Does this affect LUKS passwords in any way? I’m using LUKS for full disk encryption (i.e. on boot, after selecting a NixOS generation, I’m prompted for a password to decrypt my disk, and only after that does the display manager start up and prompt me for a system login password).

As far as I can tell, LUKS is not affected by the migration to libxcrypt, but I wanted to double check.

No, the LUKS header doesn’t even store hashes of any kind. Hash functions are primitives for implementing the key derivation functions, but these are fixed by the LUKS specification and most surely aren’t affected by an update in a third-party library.

As far as I know, the password you type to unlock the disk is used to derive a symmetric key (with PBKDF2 for LUKS1 and/or Argon2 for LUKS2) to decrypt one of several “keyslots” that contain the “master” key, which actually decrypts the disk.

1 Like