From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gmazyland@gmail.com>
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com
 [IPv6:2a00:1450:4864:20::434])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by mail.server123.net (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Fri, 27 Dec 2019 22:19:36 +0100 (CET)
Received: by mail-wr1-x434.google.com with SMTP id t2so27264819wrr.1
 for <dm-crypt@saout.de>; Fri, 27 Dec 2019 13:19:36 -0800 (PST)
References: <CAENf94KvV4zJWNAYArZDyM6pz7xk8asEoADyEfmhBtGnMF8jGQ@mail.gmail.com>
 <fa8394fd-74d2-d56f-af9e-654627c7ea1a@mousecar.com>
 <xcsvcvspcwrfkq9qvp4d9nqh@localhost>
 <65f0e9b350cd4e9bb418c8d87e4333fe@br.ibm.com>
From: Milan Broz <gmazyland@gmail.com>
Message-ID: <c0b58502-6698-89dd-a7ae-025bf80ee9c3@gmail.com>
Date: Fri, 27 Dec 2019 22:19:33 +0100
MIME-Version: 1.0
In-Reply-To: <65f0e9b350cd4e9bb418c8d87e4333fe@br.ibm.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Subject: Re: [dm-crypt] How to compress LUKS2 header?
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <https://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <https://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <https://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: "Julio Cesar Faracco - jfaracco@br.ibm.com" <jfaracco@br.ibm.com>, "dm-crypt@saout.de" <dm-crypt@saout.de>

On 27/12/2019 21:46, Julio Cesar Faracco - jfaracco@br.ibm.com wrote:
> Thanks for your suggestions, guys...
>=20
> Do you have any recommendation to reduce this header size then?
> Imagine 1000 lab machines.. They are taking 20 GB to backup each header.

Hi,

just few notes:

- used keyslots areas (both in LUKSv1 and LUKSv2) cannot be compressed,
it contains encrypted keyslot data.

- unused keyslot binary areas are filled by a random data on format (or wip=
e), so
these areas cannot be compressed either. (For LUKSv2 it is the whole binary=
 area.)

That said...

We can probably add some option to wipe unused keyslot areas with zeroes
on backup.

For the header size - for LUKSv2 you can easily decrease header size,
if you do not need more slot area or you do not plan to use reencryption.

Please read this post
https://marc.info/?l=3Ddm-crypt&m=3D157146906003981&w=3D2

Milan



>=20
> Revert to LUKS v1 type is not a possibility.
>=20
> I appreciate your help...
>=20
> --
> Julio  Cesar Faracco
>=20
>     =20
> From: dm-crypt <dm-crypt-bounces@saout.de> on behalf of Michael Kj=F6rlin=
g <michael@kjorling.se>
> Sent: Friday, December 27, 2019 1:20:11 PM
> To: dm-crypt@saout.de
> Subject: [EXTERNAL] Re: [dm-crypt] How to compress LUKS2 header?
>     =20
> On 27 Dec 2019 10:56 -0500, from gebser@mousecar.com (ken):
>> Compressing a file is one step in the encryption of that file.=A0 So if
>> your LUKS2 header file is encrypted, it's also already compressed.
>> Using ZIP on it would yield no further compression.
>=20
> No, encryption does not imply compression. Rather, trying to compress
> ciphertext is a largely pointless exercise if the encryption is any
> good in the first place; therefore, _if_ you're going to compress the
> data you're encrypting (keeping in mind that doing so is not always a
> good idea; see compression oracle attacks), then you need to compress
> first, then encrypt, not the other way around.
>=20
> I'm pretty sure the LUKS header backup isn't compressed.
>=20