Comment 0 for bug 2073429

Hello,

clevis released with version 18 on jammy (22.04). For reasons that are a bit beyond me, the cryptsetup call inside of clevis creates keyslots using argon2id as the pbkdf. While most folks would say this is preferable, NIST still has not approved it and it is thus incompatible with fips 140-3 at this time.

Oddly enough, there was an upstream commit that was implemented to help with an OOM condition that accidentally forced pbkdf2 rather than argon2id.

Commit found here: https://github.com/latchset/clevis/commit/71596307516ce2367e6303bd7f7ae7b180b29a35

Ideally, we need to either just bring that commit back to the jammy version, or get to the root cause of why cryptsetup in that exact scenario prefers argon2id.