Re: 10 M Luks2 header size?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

this information should be later in FAQ, so I try to explain it here.

Anyway, stay with defaults, if you can.

On 19/10/2019 21:59, Hualing Yu wrote:
> 
> May I ask a couple of additional questions about this so that we know how to trade off.
>  
> 
> 1.      What the reencryption can do for us?  Could you explain very
> briefly as I’m not sure if we need it?

In principle it can perform changes that requires full-device rewrite (change of the volume key).
See man cryptsetup-reencrypt - just for LUKS2 it is more reliable and mainly online
(you can use device while it is in reencryption process).

See slides from Ondra
  https://okozina.fedorapeople.org/online-disk-reencryption-with-luks2-compact.pdf

There should be also some online demos
  Reencryption demo: https://asciinema.org/a/268573
  Encryption demo: https://asciinema.org/a/268574

For this we require some reserved area for storing temporary encryption data.

> 2.      We need only one or at most two keyslots but we do want them
> to be scattered as much as needed just as if for the default case,
> what we can do? Use  –luks2-keyslots-size=1 M (or whatever size that
> will give two key enough space to scatter)?

There are two areas (see LUKS2 docs) - JSON area for metadata and binary area.

JSON has small binary header, than JSON data (it is 16k currently, stored twice).

For the binary area, it depends what you need, exact size depends on the stored
key size (here the binary keyslot data are stored, exactly the same as in LUKS1).

I would expect you are using current default for disk encryption, AES256-XTS.

Then you need to store 512bit (2x256bit) key in each binary keyslot.

With the LUKS AF filter and 4k alignment it should be 256KiB of binary data per keyslot.

So for 1M and 512bit key it allows 4 LUKS keyslots here.

> 3.      What the size of metadata size for default configuration?
> What’s the downside of using 16 K?
The whole LUKS2 default header takes 16MiB.

For JSON area it is 16k, stored twice (we will increase it later, this is for compatibility reasons),
for binary area - it is "16M - 2x16k" (16M minus JSON areas).

There is only several possible sizes of JSON area you can use (see LUKS2 docs),
binary area is basically arbitrary with maximum 128M, it must be aligned to 4k sectors.

JSON areas allows to store user token metadata, so if you do not need it, no need to enlarge it.

Thanks,
Milan
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt




[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux