On 23/11/2019 06:43, Fourhundred Thecat wrote:
Hello, I am using full-disk encryption with detached LUKS header. The LUKS header file itself is stored on an initrd image which I boot from USB, and then I decrypt the cryptsetup partition on my disk and chroot into it. The initrd system that I boot is very minimal, around 8MB in size. The LUKS image, being 2MB, is making the initrd image needlessly bigger. And the new LUKS2 format seems to use even larger header (10MB ?)
Please read post to this list https://marc.info/?l=dm-crypt&m=157146906003981&w=2 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932437#10 If you want, you can decrease size to be even smaller than LUKS1.
From what I understand, the keyslots themselves only use up 4KB of space, and the rest is used for "antiforensic stripes". This is probably a good idea when LUKS header is stored on disk together with the cryptsetup partition. But when using detached header, which is never stored on disk, this makes less sense Thus my question: is it possible, somehow, to reduce the size of the LUKS header to absolute minimum (4KB ?), when I don't need the antiforensic stripes ?
AF is mandatory and must be there, but you can allocate only absolute minimum for the LUKS2 whole header (for example only area for 1 keyslot), if you do not need other features. Please see linka above. If you need smaller header, do not use LUKS, but even VeraCrypt aligns header to 128k - despite the using only the firsrt sector. There is more magic than AF related, alignment on storage for example. Thanks, Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
