Arch Linux Full-Disk Encryption Installation Guide [Encrypted Boot, UEFI, NVMe, Evil Maid]

full-disk-encryption-arch-uefi.md

Arch Linux Full-Disk Encryption Installation Guide

This guide provides instructions for an Arch Linux installation featuring full-disk encryption via LVM on LUKS and an encrypted boot partition (GRUB) for UEFI systems.

Following the main installation are further instructions to harden against Evil Maid attacks via UEFI Secure Boot custom key enrollment and self-signed kernel and bootloader.

Preface

You will find most of this information pulled from the Arch Wiki and other resources linked thereof.

Note: The system was installed on an NVMe SSD, substitute /dev/nvme0nX with /dev/sdX or your device as needed.

Pre-installation

Connect to the internet

Plug in your Ethernet and go, or for wireless consult the all-knowing Arch Wiki.

Update the system clock

timedatectl set-ntp true

Preparing the disk

Create EFI System and Linux LUKS partitions

Create a 1MiB BIOS boot partition at start just in case it is ever needed in the future

Number	Start (sector)	End (sector)	Size	Code	Name
1	2048	4095	1024.0 KiB	EF02	BIOS boot partition
2	4096	1130495	550.0 MiB	EF00	EFI System
3	1130496	976773134	465.2 GiB	8309	Linux LUKS

gdisk /dev/nvme0n1

o
n
[Enter]
0
+1M
ef02
n
[Enter]
[Enter]
+550M
ef00
n
[Enter]
[Enter]
[Enter]
8309
w

Create the LUKS1 encrypted container on the Linux LUKS partition (GRUB does not support LUKS2 as of May 2019)

cryptsetup luksFormat --type luks1 --use-random -S 1 -s 512 -h sha512 -i 5000 /dev/nvme0n1p3

Open the container (decrypt it and make available at /dev/mapper/cryptlvm)

cryptsetup open /dev/nvme0n1p3 cryptlvm

Preparing the logical volumes

Create physical volume on top of the opened LUKS container

pvcreate /dev/mapper/cryptlvm

Create the volume group and add physical volume to it

vgcreate vg /dev/mapper/cryptlvm

Create logical volumes on the volume group for swap, root, and home

lvcreate -L 8G vg -n swap
lvcreate -L 32G vg -n root
lvcreate -l 100%FREE vg -n home

The size of the swap and root partitions are a matter of personal preference.

Format filesystems on each logical volume

mkfs.ext4 /dev/vg/root
mkfs.ext4 /dev/vg/home
mkswap /dev/vg/swap

Mount filesystems

mount /dev/vg/root /mnt
mkdir /mnt/home
mount /dev/vg/home /mnt/home
swapon /dev/vg/swap

Preparing the EFI partition

Create FAT32 filesystem on the EFI system partition

mkfs.fat -F32 /dev/nvme0n1p2

Create mountpoint for EFI system partition at /efi for compatibility with grub-install and mount it

mkdir /mnt/efi
mount /dev/nvme0n1p2 /mnt/efi

Installation

Install necessary packages

pacstrap /mnt base linux linux-firmware mkinitcpio lvm2 vi dhcpcd wpa_supplicant

Configure the system

Generate an fstab file

genfstab -U /mnt >> /mnt/etc/fstab

(optional) Change relatime option to noatime

/mnt/etc/fstab

# /dev/mapper/vg-root
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx / ext4 rw,noatime 0 1

# /dev/mapper/vg-home
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx / ext4 rw,noatime 0 1

Reduces writes to disk when reading from a file, but may cause issues with programs that rely on file access time

Enter new system chroot

arch-chroot /mnt

At this point you should have the following partitions and logical volumes:

lsblk

NAME	MAJ:MIN	RM	SIZE	RO	TYPE	MOUNTPOINT
nvme0n1	259:0	0	465.8G	0	disk
├─nvme0n1p1	259:4	0	1M	0	part
├─nvme0n1p2	259:5	0	550M	0	part	/efi
├─nvme0n1p3	259:6	0	465.2G	0	part
..└─cryptlvm	254:0	0	465.2G	0	crypt
....├─vg-swap	254:1	0	8G	0	lvm	[SWAP]
....├─vg-root	254:2	0	32G	0	lvm	/
....└─vg-home	254:3	0	425.2G	0	lvm	/home

Time zone

Set the time zone

Replace America/Los_Angeles with your respective timezone found in /usr/share/zoneinfo

ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime

Run hwclock to generate /etc/adjtime

Assumes hardware clock is set to UTC

hwclock --systohc

Localization

Uncomment en_US.UTF-8 UTF-8 in /etc/locale.gen and generate locale

locale-gen

Create locale.conf and set the LANG variable

/etc/locale.conf

LANG=en_US.UTF-8

Network configuration

Create the hostname file

/etc/hostname

myhostname

This is a unique name for identifying your machine on a network.

Add matching entries to hosts

/etc/hosts

127.0.0.1 localhost
::1 localhost
127.0.1.1 myhostname.localdomain myhostname

Initramfs

Add the keyboard, encrypt, and lvm2 hooks to /etc/mkinitcpio.conf

Note: ordering matters.

HOOKS=(base udev autodetect keyboard modconf block encrypt lvm2 filesystems fsck)

Recreate the initramfs image

mkinitcpio -p linux

Root password

Set the root password

passwd

Boot loader

Install GRUB

pacman -S grub

Configure GRUB to allow booting from /boot on a LUKS1 encrypted partition

/etc/default/grub

GRUB_ENABLE_CRYPTODISK=y

Set kernel parameter to unlock the LVM physical volume at boot using encrypt hook

UUID is the partition containing the LUKS container

blkid

/dev/nvme0n1p3: UUID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" TYPE="crypto_LUKS" PARTLABEL="Linux LUKS" PARTUUID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

/etc/default/grub

GRUB_CMDLINE_LINUX="... cryptdevice=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:cryptlvm root=/dev/vg/root ..."

Install GRUB to the mounted ESP for UEFI booting

pacman -S efibootmgr
grub-install --target=x86_64-efi --efi-directory=/efi

Enable microcode updates

grub-mkconfig will automatically detect microcode updates and configure appropriately

pacman -S intel-ucode

Use intel-ucode for Intel CPUs and amd-ucode for AMD CPUs.

Generate GRUB's configuration file

grub-mkconfig -o /boot/grub/grub.cfg

(recommended) Embed a keyfile in initramfs

This is done to avoid having to enter the encryption passphrase twice (once for GRUB, once for initramfs.)

Create a keyfile and add it as LUKS key

mkdir /root/secrets && chmod 700 /root/secrets
head -c 64 /dev/urandom > /root/secrets/crypto_keyfile.bin && chmod 600 /root/secrets/crypto_keyfile.bin
cryptsetup -v luksAddKey -i 1 /dev/nvme0n1p3 /root/secrets/crypto_keyfile.bin

Add the keyfile to the initramfs image

/etc/mkinitcpio.conf

FILES=(/root/secrets/crypto_keyfile.bin)

Recreate the initramfs image

mkinitcpio -p linux

Set kernel parameters to unlock the LUKS partition with the keyfile using encrypt hook

/etc/default/grub

GRUB_CMDLINE_LINUX="... cryptkey=rootfs:/root/secrets/crypto_keyfile.bin"

Regenerate GRUB's configuration file

grub-mkconfig -o /boot/grub/grub.cfg

Restrict /boot permissions

chmod 700 /boot

The installation is now complete. Exit the chroot and reboot.

exit
reboot

Post-installation

Your system should now be fully installed, bootable, and fully encrypted.

If you embedded the keyfile in the initramfs image, it should only require your encryption passphrase once to unlock to the system.

For the standard Arch Linux post-installation steps, RTFM.

(recommended) Hardening against Evil Maid attacks

With an encrypted boot partition, nobody can see or modify your kernel image or initramfs, but you would be still vulnerable to Evil Maid attacks.

One possible solution is to use UEFI Secure Boot. Get rid of preloaded Secure Boot keys (you really don't want to trust Microsoft and OEM), enroll your own Secure Boot keys and sign the GRUB boot loader with your keys. Evil Maid would be unable to boot modified boot loader (not signed by your keys) and the attack is prevented.

Creating keys

The following steps should be performed as the root user, with accompanying files stored in the /root directory.

Install efitools

pacman -S efitools

Create a GUID for owner identification

uuidgen --random > GUID.txt

Platform key

CN is a Common Name, which can be written as anything.

openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Platform Key/" -out PK.crt
openssl x509 -outform DER -in PK.crt -out PK.cer
cert-to-efi-sig-list -g "$(< GUID.txt)" PK.crt PK.esl
sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth

Sign an empty file to allow removing Platform Key when in "User Mode"

sign-efi-sig-list -g "$(< GUID.txt)" -c PK.crt -k PK.key PK /dev/null rm_PK.auth

Key Exchange Key

openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Key Exchange Key/" -out KEK.crt
openssl x509 -outform DER -in KEK.crt -out KEK.cer
cert-to-efi-sig-list -g "$(< GUID.txt)" KEK.crt KEK.esl
sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt KEK KEK.esl KEK.auth

Signature Database key

openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=my Signature Database key/" -out db.crt
openssl x509 -outform DER -in db.crt -out db.cer
cert-to-efi-sig-list -g "$(< GUID.txt)" db.crt db.esl
sign-efi-sig-list -g "$(< GUID.txt)" -k KEK.key -c KEK.crt db db.esl db.auth

Signing bootloader and kernel

When Secure Boot is active (i.e. in "User Mode") you will only be able to launch signed binaries, so you need to sign your kernel and boot loader.

Install sbsigntools

pacman -S sbsigntools

sbsign --key db.key --cert db.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux
sbsign --key db.key --cert db.crt --output /efi/EFI/arch/grubx64.efi /efi/EFI/arch/grubx64.efi

Automatically sign bootloader and kernel on install and updates

It is necessary to sign GRUB with your UEFI Secure Boot keys every time the system is updated via pacman. This can be accomplished with a pacman hook.

Create the hooks directory

mkdir -p /etc/pacman.d/hooks

Create hooks for both the linux and grub packages

/etc/pacman.d/hooks/99-secureboot-linux.hook

[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = linux

[Action]
Description = Signing Kernel for SecureBoot
When = PostTransaction
Exec = /usr/bin/find /boot/ -maxdepth 1 -name 'vmlinuz-*' -exec /usr/bin/sh -c 'if ! /usr/bin/sbverify --list {} 2>/dev/null | /usr/bin/grep -q "signature certificates"; then /usr/bin/sbsign --key /root/db.key --cert /root/db.crt --output {} {}; fi' \ ;
Depends = sbsigntools
Depends = findutils
Depends = grep

/etc/pacman.d/hooks/98-secureboot-grub.hook

[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = grub

[Action]
Description = Signing GRUB for SecureBoot
When = PostTransaction
Exec = /usr/bin/find /efi/ -name 'grubx64*' -exec /usr/bin/sh -c 'if ! /usr/bin/sbverify --list {} 2>/dev/null | /usr/bin/grep -q "signature certificates"; then /usr/bin/sbsign --key /root/db.key --cert /root/db.crt --output {} {}; fi' \ ;
Depends = sbsigntools
Depends = findutils
Depends = grep

Enroll keys in firmware

Copy all *.cer, *.esl, *.auth to the EFI system partition

cp /root/*.cer /root/*.esl /root/*.auth /efi/

Boot into UEFI firmware setup utility (frequently but incorrectly referred to as "BIOS")

systemctl reboot --firmware

Firmwares have various different interfaces, see Replacing Keys Using Your Firmware's Setup Utility if the following instructions are unclear or unsuccessful.

Set OS Type to Windows UEFI mode

Find the Secure Boot options and set OS Type to Windows UEFI mode (yes, even if we're not on Windows.) This may be necessary for Secure Boot to function.

Clear preloaded Secure Boot keys

Using Key Management, clear all preloaded Secure Boot keys (Microsoft and OEM).

By clearing all Secure Boot keys, you will enter into Setup Mode (so you can enroll your own Secure Boot keys).

Set or append the new keys

The keys must be set in the following order:

db => KEK => PK

This is due to some systems exiting setup mode as soon as a PK is entered.

Do not load the factory defaults, instead navigate the available filesystems in search of the files previously copied to the EFI System partition.

Choose any of the formats. The firmware should prompt you to enter the type (Note: type names may differ slightly.)

*.cer is a Public Key Certificate
*.esl is a UEFI Secure Variable
*.auth is an Authenticated Variable

Certain firmware (such as my own) require you use the *.auth files. Try various ones until they work.

Set UEFI supervisor (administrator) password

You must also set your UEFI firmware supervisor (administrator) password in the Security settings, so nobody can simply boot into UEFI setup utility and turn off Secure Boot.

You should never use the same UEFI firmware supervisor password as your encryption password, because on some old laptops, the supervisor password could be recovered as plaintext from the EEPROM chip.

Exit and save changes

Once you've loaded all three keys and set your supervisor password, hit F10 to exit and save your changes.

If everything was done properly, your boot loader should appear on reboot.

Check if Secure Boot was enabled

od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

The characters denoted by XXXX differ from machine to machine. To help with this, you can use tab completion or list the EFI variables.

If Secure Boot is enabled, this command returns 1 as the final integer in a list of five, for example:

6 0 0 0 1

If Secure Boot was enabled and your UEFI supervisor password set, you may now consider yourself protected against Evil Maid attacks.

This guide makes you generate rm_PK.auth on your encrypted partition, so you still have a copy of it somewhere, that's why I suggest to completely remove it from the /efi partition. I personally backed it up on an external hard drive, encrypted using my own gpg key.

I don't see any problems about generate authorities and certificates on your encrypted partition ; only if the attacker has the encryption password, in theory, he can access to the CA files. In the case where you delete all files on your encrypted disk with rm, attacker have a very small chance to get CA files with disk forensics if no much data isn't overwritten at multiples times (use shred instead).

If you have copy CA files on the EFI partition, i'm agree with @ShellCode33 , you must delete files securely with shred -uz -n 7.

The best solution for me is to save all your authorities and other certificates on another external storage using encryption like GPG and AES (the mixture of symmetrical and asymmetrical is a good thing) even through the more secure way (not stable actually) is https://shufflecake.net. For safety, save all this data with 2 or more samples and put them in a secure and hidden vault. After that, you can use shred on your encrypted partition to definitively delete CA files on your computer.

That scenario above was mainly for simplicity as an example. I think if you're using a CA, you're probably more likely to be a corporate business or have many Linux installations rather than just one. That's really where a CA could become most powerful, I think - assuming the keys are stored securely etc.

I also agree that the best solution would really be to keep any CA keys in a completely different place. Even better would be to isolate all your CA keys on a separate machine to begin with specifically for crypto, and never move them off there, but again this is more for corporates I think. Just doing all this for a single personal computer depends upon how much you want it secured I suppose.

I have a fully automated script on my repo, very close to your steps. https://github.com/schm1d/AwesomeArchLinux

I've written a step-by-step guide essentially on how to enable hibernation with this setup: https://gist.github.com/Iwwww/008ef082a52cc509d186889118412aa6

I followed this guide. However, whenever I want to reboot systemd fails to unmount /home, and after the reboot I am dropped into an emergency shell. The temporary fix for me, is to boot to a live arch ISO, mount the encrypted partitions, install grub, run grub-mkconfig -o and regenerate initramfs (mkinitcpio -p linux). After that, I can boot into the system just fine. However, I don't want to be doing this everytime I want to restart my machine. Is there a fix for this?

Take note that you may encounter issues after a certain GRUB version. See here for info about why: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim_with_key_and_GRUB

Thanks for the thorough guide @huntrar

@Iwwww

I've written a step-by-step guide essentially on how to enable hibernation with this setup: https://gist.github.com/Iwwww/008ef082a52cc509d186889118412aa6

If i put, what you put in modules, I get "module not found" for all of these. why do we have to put it to modules in addition to hooks? you have amdgpu in there too ig, that one depends on which gpu you are using.

I follod this guide until the GRUB install,
grub-install --target=x86_64-efi --efi-directory=/efi
which left me with the
'Installing for x86_64-efi platform.
grub-install: error: unknown filesystem.'
error.
Until now I found no working fix, do you have any ideas?
THank you in advance!

'Installing for x86_64-efi platform.
grub-install: error: unknown filesystem.'

I was also getting this during two installation attempts. The only time I didn't get this error was when I used fdisk to partition, instead of parted. I haven't tried gdisk but could be a similar case.

I've all but given up on encrypted install for now. I've tried multiple times and each time grub says I'm giving it an incorrect password. Which is not true, as others have also recently found.

Really seems like grub and LUKS are not playing nicely :(

'Installing for x86_64-efi platform.
grub-install: error: unknown filesystem.'

I was also getting this during two installation attempts. The only time I didn't get this error was when I used fdisk to partition, instead of parted. I haven't tried gdisk but could be a similar case.

I've all but given up on encrypted install for now. I've tried multiple times and each time grub says I'm giving it an incorrect password. Which is not true, as others have also recently found.

Really seems like grub and LUKS are not playing nicely :(

I finally got it to work, using this, gentoo wizards saved me:
https://forums.gentoo.org/viewtopic-p-8776588.html#8776588

tune2fs -O metadata_csum_seed /dev/device

did the trick.

I also tried that, but to no avail. But have seen it worked for a few.
Finally got it working. The other missing part to the puzzle was to include the --type luks1 flag when running luksFormat on the partition. Grub is not compatible in all cases with luks2 (the default value in luksFormat), as has also been reported around the place.

Finally figured out how to enable Secure Boot after GRUB made it difficult with the update.

I ended up ditching GRUB and just boot straight from UEFI using a signed Unified Kernel Image. Skip creating and embedding the keyfile also. I used sbctl to make my life easier with creating and signing keys.

@gavsiu that's the way to go. GRUB is overrated IMO, it's not necessary at all. I invite people to take a look at arch-secure-boot. Booting directly into a UKI also allows you to use LUKS2, which is not supported by GRUB yet.

Passphrase decryption seems way faster than before when I was booting with GRUB.

True, that's because the UKI uses hardware acceleration

Grub 2.12 supports LUKS2. But if we do cryptsetup luksFormat device, this defaults to LUKS2 with --pbkdf argon2id, but Grub doesn't support that PBKDF. But you can still use LUKS2 with Grub by doing something like cryptsetup luksFormat --pbkdf pbkdf2 device.

The docs for Grub are here, and it's helpful to look at the compiled defaults of cryptsetup via cryptsetup --help and looking for "Default" near the bottom of the output.

Could you explain how secure boot protects against an evil maid with physical access? If you can modify your trusted keys, so can an attacker.

It's only a matter of slowing down the attacker, by setting a password to the BIOS, you considerably slow them down because they would have to open the computer and remove the battery on the motherboard to reset the password, it's very inconvenient and can be time consuming (especially on laptops where the battery is usually on the back of the MB and you have to unscrew almost everything). Whereas if secure boot was not enabled, it would only be a matter of accessing the drive (which is usually way easier to do, especially on laptops) to alter the EFI partition. So you're right it doesn't protect you 100%. One interesting feature that some manufacturers provide (e.g. Dell) is the ability to detect if the device has been physically tempered with, it doesn't prevent the attack but at least you can be informed that it occurred (as long as you have the proper runtime checks, I guess it can be accessed through UEFI variables exposed by the OS)

I agree, however if your BIOS password also blocks booting at all, then secure boot doesn't offer more protection against that kind of attack. But if the password blocks only the UEFI settings, then I guess secure boot does help a bit.

Would TPM help with this issue as well @ShellCode33? Not to secure bios password but to protect against tampering. I’m pretty sure you can set so the hard drive will only unlock if certain conditions, eg firmware, has not been modified. I’m not sure what resilience a defence like this would have against something like the NSA, but I would imagine it would deter most people on the street. It took a lot of work but I think a while back I did manage to get a TPM, SecureBoot and full disk encryption to work. Kind regards, Christopher Marshall Founder & CEO, Cosmo Digital Solutions Website: www.cosmodigitalsolutions.com This email and its contents were NOT generated using Artifical Intelligence systems. We do not utilise AI technologies in any form. Subject to contract and without prejudice. On 24 May 2024, at 18:17, ShellCode ***@***.***> wrote: ***@***.*** commented on this gist. It's only a matter of slowing down the attacker, by setting a password to the BIOS, you considerably slow them down because they would have to open the computer and remove the battery on the motherboard to reset the password, it's very inconvenient and can be time consuming (especially on laptops where the battery is usually on the back and you have to unscrew almost everything). Whereas if secure boot was not enabled, it would only be a matter of accessing the drive (which is usually way easier to do, especially on laptops) to alter the EFI partition. So you're right it doesn't protect you 100%. One interesting feature that some manufacturers provide (e.g. Dell) is the ability to detect if the device has been physically tempered with, it doesn't prevent the attack but at least you can be informed that it occurred (as long as you have the proper runtime checks, I guess it can be accessed through UEFI variables exposed by the OS) — Reply to this email directly, view it on GitHub or unsubscribe. You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS or Android.

@ShellCode33 an addendum: If the attacker removes the firmware battery and doing so disables your password, 2 things may happen:
A) You will get no password prompt, so you will know that your computer is compromised.
B) He will set a password different from yours so you will not be able to boot. Then you will know your computer is compromised (just like case A).

So you should be safe either way. Not against all kinds of hardware manipulation (e.g keylogger) or against a hidden camera.

Does the LUK2 work now with GRUB? Or not yet?

Does the LUK2 work now with GRUB? Or not yet?

No, LUKS2 isn't fully supported in Grub 2.12 and no code updates about that has been done. Argon2 still unsupported : https://git.savannah.gnu.org/cgit/grub.git/tree/grub-core/disk/luks2.c.

LUKS2 works with PBKDF2. Someone want to include Argon2 but he's busy for the moment : https://lists.gnu.org/archive/html/grub-devel/2024-02/msg00047.html.

Does the LUK2 work now with GRUB? Or not yet?

No, LUKS2 isn't fully supported in Grub 2.12 and no code updates about that has been done. Argon2 still unsupported : https://git.savannah.gnu.org/cgit/grub.git/tree/grub-core/disk/luks2.c.

LUKS2 works with PBKDF2. Someone want to include Argon2 but he's busy for the moment : https://lists.gnu.org/archive/html/grub-devel/2024-02/msg00047.html.

Edit: Apparently LUKS2 is only partially supported by GRUB; specifically, only the PBKDF2 key derivation function is implemented, which is not the default KDF used with LUKS2, that being Argon2i. LUKS encrypted partitions using Argon2i (as well as the other KDF) can not be decrypted. (source from other forums)

I'm still testing it, but I wasn't using the argon2id <- hybrid version that covers both?

So when said that it's not fully supported, does that mean it doesn't work or it works but there's a big hole?

Okay I do have some problems with LUKS

LUKS2 works with PBKDF2, that's all. I'm using this configuration for a while and i have any problems with that.

Argon2i(d) is very more secure and resilient than PBKDF2 especially in memory resistance. So when i said that it's not fully supported, it's because GRUB don't support it. You don't have to search in "forums", as you can see in the code here : https://git.savannah.gnu.org/cgit/grub.git/tree/grub-core/disk/luks2.c.

case LUKS2_KDF_TYPE_ARGON2I:
ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Argon2 not supported");
goto err;
case LUKS2_KDF_TYPE_PBKDF2:
hash = grub_crypto_lookup_md_by_name (k->kdf.u.pbkdf2.hash);
[...] (no Grub error so LUKS2 works with PBKDF2)

LUKS2 works with PBKDF2, that's all. I'm using this configuration for a while and i have any problems with that.

Argon2i(d) is very more secure and resilient than PBKDF2 especially in memory resistance. So when i said that it's not fully supported, it's because GRUB don't support it. You don't have to search in "forums", as you can see in the code here : https://git.savannah.gnu.org/cgit/grub.git/tree/grub-core/disk/luks2.c.

case LUKS2_KDF_TYPE_ARGON2I: ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Argon2 not supported"); goto err; case LUKS2_KDF_TYPE_PBKDF2: hash = grub_crypto_lookup_md_by_name (k->kdf.u.pbkdf2.hash); [...] (no Grub error so LUKS2 works with PBKDF2)

Ah okay I was just fixing my problems since I couldn't unlock the GRUB and keep dropping into an emergency shell