Re: 10 M Luks2 header size?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

sorry for the late reply, I have a lot of personal issues these days,
so this mail was just stuck in the queue - thanks for the reminder.

On 27/10/2019 14:15, Hualing Yu wrote:> Could you please answer my last two questions below?
> 
> 1. I'm using linux kernel keyring as token for passphrase
> (likely one passphrase per LUKS partition).  Do I need to enlarge
> JSON?  (BTW, Why JSON area is stored twice, for backup only that
> area?)

Token (JSON) configuration takes some extra space, but if you
are limited to a few keyslots and few keyring tokens, default
JSON area size should be enough.

You can, of course, increase it during format, but I do not suggest
to use big JSON areas (>1MB).
IOW increasing to 64k should be more than enough if you have no extra user
JSON data stored there.)

The best is if you create the most complicated configuration for your
setup (used all slots + all tokens) and try to configure it.
If cryptsetup doesn't complain that there is not enough space, it is enough :)


For the storing JSON twice - long description is in LUKS2 doc
https://gitlab.com/cryptsetup/LUKS2-docs

It is not backup! We store it twice because LUKS2 expects more frequent
modification of metadata, so we can recover in the case one area is
corrupted (power fail or so).

Also, it increases reliability in the case one area is corrupted
by some other tool (it automatically updates from the second copy).

Note that BINARY area (binary stored keyslot content) is stored
only once (duplication would undermine anti-forensic filter).

> 
> 2.      If we have full filesystem redundancy, do we still need to
> use /luksHeaderBackup/<device> and /luksHeaderRestore/<device> are
> for entire 16 M header backup?  Any suggestion on what to check to
> ensure that the standby (inactivate) luks partition is in good
> condition?

RAID is not a backup. The same applies to redundant LUKS headers.

It increases availability (you can quickly recover if possible), but
you should have offline/offsite backup,

The luksHeaderBackup is in principle just copy of the area with
whole LUKS header (so it contains even unused reserved space,
this space is filled with random data - if it is not conversion
of old header).


I hope this helps.

Thanks,
Milan

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt



[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux