Hi Milan, I just setup my outlook email text format to HTML. Please let me know if this is readable to you. May I ask a couple of additional questions about this so that we know how to trade off. 1. What the reencryption can do for us? Could you explain very briefly as I'm not sure if we need it? 2. We need only one or at most two keyslots but we do want them to be scattered as much as needed just as if for the default case, what we can do? Use -luks2-keyslots-size=1 M (or whatever size that will give two key enough space to scatter)? 3. What the size of metadata size for default configuration? What's the downside of using 16 K? I thank you very much for your help on this! Hualing -----Original Message----- From: Hualing Yu Sent: Saturday, October 19, 2019 2:47 PM To: Milan Broz ; dm-crypt@saout.de Subject: RE: [dm-crypt] 10 M Luks2 header size? Hi Milan, Finally I found the right person for this! Thank you very much!! I will try the way to make a smaller header, but also will share your suggestion with our team about keeping the default settings. We work on embedded system but not very tiny one. We may be able to survive with 16 M default header. The important part is to understand this is correct. I was worried if I did something wrong 8-) Again, thank you very much!! Hualing -----Original Message----- From: Milan Broz [mailto:gmazyland@gmail.com] Sent: Saturday, October 19, 2019 3:08 AM To: Hualing Yu ; dm-crypt@saout.de Subject: Re: [dm-crypt] 10 M Luks2 header size? On 18/10/2019 21:24, Hualing Yu wrote: > Sorry one typo - > See in red below. > Thank you very much for the help! Hi, Please, could you send your question without using HTML in the mail next time? I am usually replaying to the HTML emails, but your mail is almost unreadable in a text mail client. For the question, I was able to decode: Yes, the default LUKS2 header size is 16M, it allocates much more area for a possible online operation later (online reencryption). But it is configurable, and you can decrease pre-allocated areas, even to the absolute minimum. It only applies if 1 keyslot is ok for you and you do not want to use any extensions in the future, more explanation here https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.debian.org%2Fcgi-bin%2Fbugreport.cgi%3Fbug%3D932437%2310&data=02%7C01%7Chualing.yu%40jci.com%7Cbddc0c78fcb24d90ca1308d754630972%7Ca1f1e2147ded45b681a19e8ae3459641%7C0%7C0%7C637070656655052689&sdata=ZqInWp0IIFwUT2tG5HQ1YviL2Bc9UcM1yevFT8bn66w%3D&reserved=0 For the generic area description read design doc https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Fcryptsetup%2FLUKS2-docs&data=02%7C01%7Chualing.yu%40jci.com%7Cbddc0c78fcb24d90ca1308d754630972%7Ca1f1e2147ded45b681a19e8ae3459641%7C0%7C0%7C637070656655052689&sdata=zv66AtTvvXU6jJHbzRfQkJ2zG5aKENRLuiid41KBp6I%3D&reserved=0 For the generic user, if you can, please do not change the default, 16MB is today really not a big amount of disk storage. (With the exceptions of embedded systems.) Milan > _____________________________________________ > *From:* Hualing Yu > *Sent:* Friday, October 18, 2019 3:02 PM > *To:* 'dm-crypt@saout.de' > *Subject:* 10 M Luks2 header size? > > > Hello, > > I have a question on Luks2 header size. I created luck2 partition with only one passphrase slot enabled. But it seems to take really 10 M space. Here is the luks dump: > > sh-4.4# cryptsetup luksDump /dev/mmcblk2gp0p2 LUKS header information > Version: 2 > Epoch: 3 > Metadata area: 16384 [bytes] > Keyslots area: 16744448 [bytes] <<<<<<<<<<<<<<<<<<<<<< why keyslots take so much space? > UUID: 9037890e-0f2b-4d73-b93b-e2bb53579492 > Label: (no label) > Subsystem: (no subsystem) > Flags: (no flags) > Data segments: > 0: crypt > offset: 16777216 [bytes] <<<<<<<<<<<<<<<<<<<<<<< so this means the > space available to user data is after keylots > length: (whole device) > cipher: aes-xts-plain64 > sector: 512 [bytes] > I check in the internet and found all luks2 header dumps show the same values for those two commented entries. > I actually also looked into my device content using dd command, and see indeed the space before 16777216 bytes (10 M) is all scatted filled with something, only after that point, it is all '0'. I zeroed out entire device before doing cryptsetup luksFormat. > Also checked the mapped device size from /dev/mapper/, and from dev/ : > sh-4.4# fdisk -l /dev/mmcblk2gp0p2 > Disk /dev/mmcblk2gp0p2: 392 MB, 411041792 bytes, 802816 sectors > 12544 cylinders, 4 heads, 16 sectors/track > Units: sectors of 1 * 512 = 512 bytes > > Disk /dev/mmcblk2gp0p2 doesn't contain a valid partition table sh-4.4# > sh-4.4# fdisk -l /dev/mapper/gp0p2 Disk /dev/mapper/gp0p2: 376 MB, > 394264576 bytes, 770048 sectors > 47 cylinders, 255 heads, 63 sectors/track > Units: sectors of 1 * 512 = 512 bytes > > 411041792 - 394264576 = 16777216 (10M) > > Is there anything wrong? Should luks has so much overhead? > I appreciate it greatly if you could share you thinking on this. > > Thank you, > > > Hualing > > _____________________________________________ > *From:* Hualing Yu > *Sent:* Friday, October 18, 2019 10:22 AM > *To:* _dm-crypt@saout.de_ > *Subject:* question on LUKS2 > > > Hello, > > Is this mailing list still active? > May I still ask questions here? > > Thanks, > > > Hualing > Yu > > Firmware Engineering > Security Products > Johnson Controls > 6 Technology Park Drive > Westford, MA 01886 > USA > +1 978 577 4171 direct > > > > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. > saout.de%2Fmailman%2Flistinfo%2Fdm-crypt&data=02%7C01%7Chualing.yu > %40jci.com%7Cbddc0c78fcb24d90ca1308d754630972%7Ca1f1e2147ded45b681a19e > 8ae3459641%7C0%7C0%7C637070656655052689&sdata=FXr5jwrKa5oVnlMC0svl > VAk3k55qNL0lUaYkl9NHkvo%3D&reserved=0 >