Harden default LUKS2 settings
See https://discuss.kde.org/t/making-libkpmcores-luks2-settings-more-secure/21764 for rationale. tl;dr: the default settings for LUKS2 encryption in libkpmcore aren't as secure as they could be and it would be useful to strengthen them.
A breakdown of the added cryptsetup options:
-
--use-random
: Uses/dev/random
as an entropy source rather than/dev/urandom
- this provides higher-quality entropy on some distros, and shouldn't have any substantial downsides on others. -
--cipher aes-xts-plain64
- Ensures the strongest variant of aes-xts is used. -
--hash sha512
- Ensures a very strong hashing algorithm for deriving a decryption key from a passphrase. The default is some distros is only sha256.