I can answer 2.: Redundancy (of any kind) is not backup. You need that backup. A backup is independent from the original data storage mechanism, redundancy is not. Regards, Arno On Sun, Oct 27, 2019 at 14:15:12 CET, Hualing Yu wrote: > Hello Milan, > > > How are you? > > We truly appreciate your help with your expertise on this LUKS > configuration! > Could you please answer my last two questions below? > > 1. I’m using linux kernel keyring as token for passphrase (likely > one passphrase per LUKS partition). Do I need to enlarge JSON? (BTW, > Why JSON area is stored twice, for backup only that area?) > > 2. If we have full filesystem redundancy, do we still need to use > luksHeaderBackup <device> and luksHeaderRestore <device> are for entire > 16 M header backup? Any suggestion on what to check to ensure that the > standby (inactivate) luks partition is in good condition? > > > Thank you very much! > > > Hualing > > > From: Hualing Yu > Sent: Monday, October 21, 2019 12:13 PM > To: Milan Broz <gmazyland@xxxxxxxxx>; dm-crypt@xxxxxxxx > Subject: RE: 10 M Luks2 header size? > > > Hi Milan, > > > Thank you very much for the detailed explanation! This is tremendous > help to us! > > > I had already brought this up in our group meeting. We will re-arrange > out partitions to ensure all have enough space for default > configurations. Thank you very much on that! > > > May I ask further – (sorry more questions, I just want to do it right > and make the best out from your original design.) > > 1. I’m using linux kernel keyring as token for passphrase. Do I > need to enlarge JSON? (BTW, Why JSON area is stored twice, for backup > only that area?) > > 2. Do we still need to use luksHeaderBackup <device> and > luksHeaderRestore <device> are for entire 16 M header backup? This > means each luks partition needs 32 M for its header! > > > Now here is our story : We have storage redundancy on our board, that > is, for each component (for example linux rootfs) we have two > partitions to save two copies of the component. I think with that, we > may not need luks header backup. When we detect anything wrong with > current active partition, include luks header, we can switch to use the > standby partition for rootfs for example, and then repair, or simply > wipe everything and redo luks format and copy the data into it. > > Should this work? Can you suggest some ways, or check points, for our > background task to periodically checking to ensure all luks’s are good, > in case you have something on top of your head? 8-) > > > Thank you so much! > > > > Hualing > > > > -----Original Message----- > From: Milan Broz [[1]mailto:gmazyland@xxxxxxxxx] > Sent: Sunday, October 20, 2019 6:08 AM > To: Hualing Yu <[2]hualing.yu@xxxxxxx>; [3]dm-crypt@xxxxxxxx > Subject: Re: 10 M Luks2 header size? > > > Hi, > > > this information should be later in FAQ, so I try to explain it here. > > > Anyway, stay with defaults, if you can. > > > On 19/10/2019 21:59, Hualing Yu wrote: > > > > > > May I ask a couple of additional questions about this so that we know > how to trade off. > > > > > > > > > 1. What the reencryption can do for us? Could you explain very > > > briefly as I’m not sure if we need it? > > > In principle it can perform changes that requires full-device rewrite > (change of the volume key). > > See man cryptsetup-reencrypt - just for LUKS2 it is more reliable and > mainly online (you can use device while it is in reencryption process). > > > See slides from Ondra > > > [4]https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fok > ozina.fedorapeople.org%2Fonline-disk-reencryption-with-luks2-compact.pd > f&data=02%7C01%7Chualing.yu%40jci.com%7Ca096abcf38e8483e599808d7554 > 555fc%7Ca1f1e2147ded45b681a19e8ae3459641%7C0%7C1%7C637071628596824108&a > mp;sdata=Zn13uT%2B7wsLKex3r6u3LWAC7xFobCn4PLs10ywQYxeU%3D&reserved= > 0 > > > There should be also some online demos > > Reencryption demo: > [5]https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fas > ciinema.org%2Fa%2F268573&data=02%7C01%7Chualing.yu%40jci.com%7Ca096 > abcf38e8483e599808d7554555fc%7Ca1f1e2147ded45b681a19e8ae3459641%7C0%7C1 > %7C637071628596824108&sdata=6DkH8Bwz699zeGzk25vf8gh4%2FKuImVaMeGEu3 > 4qHkCA%3D&reserved=0 > > Encryption demo: > [6]https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fas > ciinema.org%2Fa%2F268574&data=02%7C01%7Chualing.yu%40jci.com%7Ca096 > abcf38e8483e599808d7554555fc%7Ca1f1e2147ded45b681a19e8ae3459641%7C0%7C1 > %7C637071628596824108&sdata=8nuvhvj5fBB%2FeH0pu0%2F0qRNd7l47dVMQwzD > rNFoeeMA%3D&reserved=0 > > > For this we require some reserved area for storing temporary encryption > data. > > > > 2. We need only one or at most two keyslots but we do want them > > > to be scattered as much as needed just as if for the default case, > > > what we can do? Use –luks2-keyslots-size=1 M (or whatever size that > > > will give two key enough space to scatter)? > > > There are two areas (see LUKS2 docs) - JSON area for metadata and > binary area. > > > JSON has small binary header, than JSON data (it is 16k currently, > stored twice). > > > For the binary area, it depends what you need, exact size depends on > the stored key size (here the binary keyslot data are stored, exactly > the same as in LUKS1). > > > I would expect you are using current default for disk encryption, > AES256-XTS. > > > Then you need to store 512bit (2x256bit) key in each binary keyslot. > > > With the LUKS AF filter and 4k alignment it should be 256KiB of binary > data per keyslot. > > > So for 1M and 512bit key it allows 4 LUKS keyslots here. > > > > 3. What the size of metadata size for default configuration? > > > What’s the downside of using 16 K? > > The whole LUKS2 default header takes 16MiB. > > > For JSON area it is 16k, stored twice (we will increase it later, this > is for compatibility reasons), for binary area - it is "16M - 2x16k" > (16M minus JSON areas). > > > There is only several possible sizes of JSON area you can use (see > LUKS2 docs), binary area is basically arbitrary with maximum 128M, it > must be aligned to 4k sectors. > > > JSON areas allows to store user token metadata, so if you do not need > it, no need to enlarge it. > > > Thanks, > > Milan > > References > > 1. mailto:gmazyland@xxxxxxxxx > 2. mailto:hualing.yu@xxxxxxx > 3. mailto:dm-crypt@xxxxxxxx > 4. https://nam02.safelinks.protection.outlook.com/?url=https://okozina.fedorapeople.org/online-disk-reencryption-with-luks2-compact.pdf&data=02|01|hualing.yu@xxxxxxx|a096abcf38e8483e599808d7554555fc|a1f1e2147ded45b681a19e8ae3459641|0|1|637071628596824108&sdata=Zn13uT+7wsLKex3r6u3LWAC7xFobCn4PLs10ywQYxeU=&reserved=0 > 5. https://nam02.safelinks.protection.outlook.com/?url=https://asciinema.org/a/268573&data=02|01|hualing.yu@xxxxxxx|a096abcf38e8483e599808d7554555fc|a1f1e2147ded45b681a19e8ae3459641|0|1|637071628596824108&sdata=6DkH8Bwz699zeGzk25vf8gh4/KuImVaMeGEu34qHkCA=&reserved=0 > 6. https://nam02.safelinks.protection.outlook.com/?url=https://asciinema.org/a/268574&data=02|01|hualing.yu@xxxxxxx|a096abcf38e8483e599808d7554555fc|a1f1e2147ded45b681a19e8ae3459641|0|1|637071628596824108&sdata=8nuvhvj5fBB/eH0pu0/0qRNd7l47dVMQwzDrNFoeeMA=&reserved=0 > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > https://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
