>> Yay, this is implemented in
>> https://git.savannah.gnu.org/cgit/grub.git/commit/?id=365e0cc3e7e44151c14dd29514c2f870b49f9755
>
> I'll take a look later.  We'll see whether or not it would be prudent
> to ship this as-is in Guix.


I had a look at this before, and the issue remaining is that the LUKS2
support in GRUB via this patch is not compatible with the default PBKDF
that is going to be used by cryptsetup when creating LUKS2 partitions.

Looking at `cryptsetup --help` on Guix or elsewhere will show that the
default LUKS2 PBKDF is argon2i. Unfortunately only pbkdf2 is supported by
this GRUB2 patch (it's the default PBKDF for LUKS1).

It's possible to create LUKS2 encrypted partitions using pbkdf2, but
this means they aren't using a PBKDF of the same strength that most
people expect from LUKS2 use elsewhere - in distros where an
unencrypted `/boot` is used to avoid the direct support in GRUB problem.

I'm not sure if this is a major concern or not here?

Have spent some of my morning writing up about encryption in Singularity
containers, which uses LUKS2... so this is a fun topic to see in my
mailbox right now :-)

Cheers,

DT