Re: LUKS2 on disk format

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 5/12/20 7:48 AM, Maksim Fomin wrote:

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, May 11, 2020 7:58 PM, Milan Broz <gmazyland@xxxxxxxxx> wrote:


On 11/05/2020 21:07, Maksim Fomin wrote:


After reading LUKS2 on-disk format specification, I have one main
question - does LUKS2 data resides entirely on header, which occupies
first 16 mib (at most) of block device?


Yes, all LUKS metadata are stored in th eLUKS heaer.
But the LUKS header size is configurable (it is not fixed to 16MB,
16MB is just the default size)
(And most of the area is reserved for keyslots, used in online reencryption.)


Can default size (16MiB) be extended after setting up LUKS partition? What is recommended size? What are reasons to increase default size?
There were basically two reasons for the increase in default LUKS2 metadata size IIRC:
1) As Milan pointed out online reencryption performs much better when there's enough consecutive free space in LUKS2 keyslots area (the binary area for keyslots material).
While testing we figured out with 16 MiB LUKS2 metadata we hit good balance of getting good enough performance for reencryption and not consuming too much free space on a drive so that it's not a big issue for general use case and for users not interested in reencryption. 

To get smaller metadata size you can format the device with:
cryptsetup luksFormat --offset 8192 and data offset (and LUKS2 metadata size) will be at 4MiB exactly (similar to current LUKS1 default).
2) LUKS2 supports up to 32 keyslots. With 4 MiB keyslots area there were not enough space to fill all keyslots.
In general I don't think 16MB is big issue nowadays and for special use cases you can create smaller LUKS2 metadata. Even smaller than LUKS1. Milan gave example here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932437#10 

----
So I'd say 16 MiB is indeed recommended default LUKS2 metadata size in most cases. 

-----
About extending existing LUKS2 metadata. Technically it's possible, but currently you have to use reencryption for it since we have to reduce data device size first before extending LUKS2 metadata. 

cryptsetup reencrypt --reduce-device-size 4M /dev/sdx

(but do NOT forget to shrink residing filesystem/data first!)
By reducing data device by 4 MiBs we can extend LUKS2 metadata by same value. In the process the data are shifted backwards towards tail of the device.
In future we may add option to change LUKS2 metadata in-place w/o data shifting (reencryption) but that would be feature that requires cooperation with i.e. LVM2 or other volume management tools. If LVM2 could extends device by adding extents in head of LV, it would be possible to simplify also online encryption etc. 

Kind regards
O.

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux