From 442ada2d83b08dfd95538670f2f4b19b767273bf Mon Sep 17 00:00:00 2001
From: Craig Jennings <c@cjennings.net>
Date: Thu, 9 Apr 2026 22:04:44 -0500
Subject: fix: use pbkdf2 for LUKS2 containers instead of argon2id

GRUB's LUKS2 support only handles pbkdf2. When /boot is inside the
encrypted volume, argon2id causes GRUB to reject the correct password.
---
 installer/lib/btrfs.sh | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'installer/lib/btrfs.sh')

diff --git a/installer/lib/btrfs.sh b/installer/lib/btrfs.sh
index 321c05c..4e11e2f 100644
--- a/installer/lib/btrfs.sh
+++ b/installer/lib/btrfs.sh
@@ -40,9 +40,12 @@ create_luks_container() {
     info "Setting up LUKS encryption on $partition..."
 
     # Create LUKS container (-q for batch mode, -d - to read key from stdin)
+    # Use pbkdf2 (not argon2id) because GRUB's LUKS2 support only handles pbkdf2.
+    # When /boot is inside the encrypted volume, GRUB must decrypt it to read
+    # the kernel/initramfs, and argon2id causes GRUB to reject the correct password.
     echo -n "$passphrase" | cryptsetup -q luksFormat --type luks2 \
         --cipher aes-xts-plain64 --key-size 512 --hash sha512 \
-        --iter-time 2000 --pbkdf argon2id \
+        --iter-time 2000 --pbkdf pbkdf2 \
         -d - "$partition" \
         || error "Failed to create LUKS container"
 
@@ -111,7 +114,7 @@ create_luks_containers() {
         info "Setting up LUKS encryption on $partition..."
         echo -n "$passphrase" | cryptsetup -q luksFormat --type luks2 \
             --cipher aes-xts-plain64 --key-size 512 --hash sha512 \
-            --iter-time 2000 --pbkdf argon2id \
+            --iter-time 2000 --pbkdf pbkdf2 \
             -d - "$partition" \
             || error "Failed to create LUKS container on $partition"
         ((++i))
-- 
cgit v1.2.3