bug in cryptsetup --header option when using luksFormat?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear Christophe,

I am familiarizing myself with cryptsetup, and I have found no way to use the --header option while also providing an --align-payload parameter with the intended effect.
The version I am using is cryptsetup 2.1.0 as live in the debian buster repositories at the moment.

Every way I try, the command:
  cryptsetup --cipher=aes-xts-plain64 --key-size=512 --hash=sha512 --align-payload=40960 luksFormat containerfile --header headerfile

creates a correct header in "headerfile", but enlarges the headerfile to the total size indicated by --align-payload - in this case the headerfile ends up being 20MB in size, and with higher "offsets", it will become huge. All of it seems to be cryptographic data, because the luksBackupHeader command will just duplicate the big header file, and using only the first 16M of it will fail.

The options --offset and --align-payload seem to both trigger the behavior, but only --align-payload seems to store the luks container at an offset as intended.

A workaround that I can do is:
  cryptsetup --cipher=aes-xts-plain64 --key-size=512 --hash=sha512 --align-payload=40960 luksFormat containerfile

# extract the headerfile from the containerfile
dd if=containerfile of=headerfile bs=1M count=16

# overwrite the original header in the container with urandom data
dd conv=notrunc if=/dev/urandom of=containerfile bs=1M count=16

cryptsetup --header headerfile open containerfile devicemappername

After this, the device under /dev/mapper/devicemappername behaves as expected.


However, even in the workaround, the --align-payload option seems to trigger a looooooooooooooooooong write operation - e.g. when trying to align a payload somewhere at +250 Gigabytes, the cryptsetup takes ages to complete and is hammering the disk, while it near instantly completes when not using --align-payload.

I have researched via google etc for days now without finding a solution, so I hope you may be able to do something with the information provided.

Kind regards

   aral
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux