Re: [dm-crypt] minimal LUKS container size

[Milan Broz <mbroz@redhat.com>]

On 12/07/2011 12:27 PM, Klaus Schneider wrote:
> Hello
> 
> thanks for the effort you put into developing LUKS and cryptsetup. I
> have a suggestion for improving the package: Please document the
> minimal size for a LUKS container; I could not find it in the
> documentation nor in the FAQ. It would also be helpful if "cryptsetup
> luksCreate" would fail with an error message if the container is too
> small. Currently, "cryptsetup luksCreate" succeeds and "cryptsetup
> luksOpen" fails with a device-mapper error, which does not point the
> user into the right direction. It took me quite some time to find out
> the reason being too small a container. As far as I could find out by
> trial and error, for cryptsetup 1.3 with the default settings the
> container must be larger than 2MB (creating a 3MB container results
> in a 1MB filesystem), whereas for the old 1.1 release it seems to be
> > 1MB. Is this correct? Rational for a small container: I want to
> have a key file on a USB medium secured in a LUKS container. Since
> the key is only 512 Bit long, a very small container would be
> sufficient.

Minimal size depends on two things:
 - volume key size
 - alignment of data area

Cryptsetup 1.3 by default aligns data to 1MB offset multiple, that's why
you see this change.

You can switch to old alignment by using data alignment override, e.g.

cryptsetup luksFormat -s 128 --align-payload=8

(So here forcing keysize to 128bit and forcing alignment to 4k offset.
- vaule is in 512 byte sectors.
This is perhaps the smallest header possible while still using
reasonable key size - 1032 x 512 bytes sectors ~ 520kB)

(But also note that misalignment to flash memory block can have
some performance effects.)

Anyway, some example in FAQ would be nice.

Milan