On 23 Nov 2019 06:43 +0100, from 400thecat@xxxxxx (Fourhundred Thecat): > is it possible, somehow, to reduce the size of the LUKS header to > absolute minimum (4KB ?), when I don't need the antiforensic stripes ? If you consider LUKS' anti-forensic properties not just unnecessary but actually significantly wasteful in your situation, as it appears from your posts, you could use just plain dm-crypt; but do be aware of its drawbacks compared to LUKS. There's good reason why plain dm-crypt, or for that matter loop-AES, have largely fallen out of use. You can in principle use plain dm-crypt with cryptsetup's --key-file parameter to store the volume encryption key either completely unsecured except for the fact that it's on different media, or secured by other means; for example, the cryptsetup man page mentions the possibility of using GnuPG for the purpose of securing the key file. That way you can, again in principle, get the key file size down to exactly however large the key for your chosen encryption algorithm is; for example, for AES-256-XTS (512 bits' worth of volume key material) the file could be as little as 64 bytes in size (plus any overhead incurred by whatever method you use to secure it, if any). It's important to keep in mind that anything like the above won't be _LUKS_, so you should be very careful to not refer to it as LUKS. Also, I offer _no guarantees whatsoever_ that this scheme will be secure against any particular class of adversary or type of attack, or even secure against _any_ adversary or attack. I am _only_ pointing out that it is _technically possible to do_ and that it appears to meet your stated need. -- Michael Kjörling • https://michael.kjorling.se • michael@xxxxxxxxxxx “Remember when, on the Internet, nobody cared that you were a dog?” _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
