If you want to use GRUB to unlock your encrypted drive on boot then you likely want to use LUKS1 instead of LUKS2. If you already have a LUKS2 partition, most guides around the web will tell you that you simply have to convert your keys to PBKDF2 before you can convert a LUKS2 partition to LUKS1, however, as seen in this bug report, that's not quite the whole truth.
Run luksDump
:
cryptsetup luksDump /dev/<your_device>
You will get output like this:
LUKS header information for /dev/<your_device>
Version: 2
Epoch: 14
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: <uuid>
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
1: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Hash: sha256
Iterations: 1372442
Salt: <value>
AF stripes: 4000
AF hash: sha256
Area offset:290816 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha512
Iterations: 121132
Where it says AF hash:
and below Digests:
where it says Hash:
need to show the same value. If they do not, then you can change the AF hash
while converting your key to pbkdf2
like so:
cryptsetup luksConvertKey --pbkdf=pbkdf2 --hash=sha512 /dev/<your_device>
Now you should be able to convert to LUKS1:
cryptsetup convert /dev/<your_device> --type luks1