From: Milan Broz <gmazyland@gmail.com>
To: Marc SCHAEFER <schaefer@alphanet.ch>, cryptsetup@lists.linux.dev
Subject: Re: Equivalent of --integrity-recalculate
Date: Sat, 10 May 2025 18:18:18 +0200 [thread overview]
Message-ID: <f2c3da09-bd41-427d-8e96-61d3a4a80397@gmail.com> (raw)
In-Reply-To: <aB919cDdLQfSsb0V@alphanet.ch>
On 5/10/25 5:51 PM, Marc SCHAEFER wrote:
> Hello,
>
> If you create a cryptsetup/luks device with integrity with:
>
> cryptsetup luksFormat -q --type luks2 --integrity hmac-sha256 $dev
>
> and then open it:
>
> cryptsetup open $dev backup-copy
>
> you then get, according to lsblk, two additional devices:
>
> - backup-copy (the transparently decrypted/encrypting volume)
>
> - backup-copy_dif (the integrity device)
>
> (which is similar, AFAIK, as when you use dm-integrity with LVM)
>
> If you create an integrity device separately, you get a
>
> integritysetup --integrity-recalculate open $dev integrity
>
> command which allows to recalculate the integrity blocks.
>
> I don't think cryptsetup has this option (*); is there a way to
> do it anyway? Or maybe remove the backup-copy_dif and
> re-add it?
No, because such option is not implemented (and never will be) in dm-crypt.
Note, for integritysetup you use dm-integrity, for cryptsetup
dm-integrity only provides metadata space, AEAD encrypton
is performed in dm-crypt above.
Sometimes it is not even possible, AEAD just cannot take
data with wrong authentication tag and fix it.
This is only possible when the integrity is calculated separately.
Milan
next prev parent reply other threads:[~2025-05-10 16:18 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-10 15:51 Equivalent of --integrity-recalculate Marc SCHAEFER
2025-05-10 16:18 ` Milan Broz [this message]
2025-05-11 8:25 ` Disabling integrity metadata verification (was: Equivalent of --integrity-recalculate) Marc SCHAEFER
2025-05-11 18:46 ` Disabling integrity metadata verification Milan Broz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f2c3da09-bd41-427d-8e96-61d3a4a80397@gmail.com \
--to=gmazyland@gmail.com \
--cc=cryptsetup@lists.linux.dev \
--cc=schaefer@alphanet.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox