Re: [dm-crypt] detached LUKS header size

[Milan Broz <gmazyland@gmail.com>]

On 23/11/2019 06:43, Fourhundred Thecat wrote:
> Hello,
> 
> I am using full-disk encryption with detached LUKS header.
> 
> The LUKS header file itself is stored on an initrd image which I boot
> from USB, and then I decrypt the cryptsetup partition on my disk and
> chroot into it.
> 
> The initrd system that I boot is very minimal, around 8MB in size.
> 
> The LUKS image, being 2MB, is making the initrd image needlessly bigger.
> 
> And the new LUKS2 format seems to use even larger header (10MB ?)

Please read post to this list
https://marc.info/?l=dm-crypt&m=157146906003981&w=2
and
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932437#10

If you want, you can decrease size to be even smaller than LUKS1.

> 
>  From what I understand, the keyslots themselves only use up 4KB of
> space, and the rest is used for "antiforensic stripes".
> 
> This is probably a good idea when LUKS header is stored on disk together
> with the cryptsetup partition.
> 
> But when using detached header, which is never stored on disk, this
> makes less sense
> 
> Thus my question:
> 
> is it possible, somehow, to reduce the size of the LUKS header to
> absolute minimum (4KB ?), when I don't need the antiforensic stripes ?

AF is mandatory and must be there, but you can allocate only absolute minimum
for the LUKS2 whole header (for example only area for 1 keyslot), if you do not need other features.

Please see linka above.

If you need smaller header, do not use LUKS, but even VeraCrypt aligns header
to 128k - despite the using only the firsrt sector.
There is more magic than AF related, alignment on storage for example.

Thanks,
Milan