From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gmazyland@gmail.com>
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com
 [IPv6:2a00:1450:4864:20::331])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by mail.server123.net (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Sat, 23 Nov 2019 09:48:13 +0100 (CET)
Received: by mail-wm1-x331.google.com with SMTP id t26so8026148wmi.0
 for <dm-crypt@saout.de>; Sat, 23 Nov 2019 00:48:13 -0800 (PST)
References: <62fc7ef6-e289-b268-17d5-6ac1df2f3904@gmx.ch>
From: Milan Broz <gmazyland@gmail.com>
Message-ID: <c59b2199-e41d-3621-78fb-ae1552dbe607@gmail.com>
Date: Sat, 23 Nov 2019 09:48:11 +0100
MIME-Version: 1.0
In-Reply-To: <62fc7ef6-e289-b268-17d5-6ac1df2f3904@gmx.ch>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] detached LUKS header size
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <https://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <https://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <https://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: Fourhundred Thecat <400thecat@gmx.ch>, dm-crypt@saout.de



On 23/11/2019 06:43, Fourhundred Thecat wrote:
> Hello,
> 
> I am using full-disk encryption with detached LUKS header.
> 
> The LUKS header file itself is stored on an initrd image which I boot
> from USB, and then I decrypt the cryptsetup partition on my disk and
> chroot into it.
> 
> The initrd system that I boot is very minimal, around 8MB in size.
> 
> The LUKS image, being 2MB, is making the initrd image needlessly bigger.
> 
> And the new LUKS2 format seems to use even larger header (10MB ?)

Please read post to this list
https://marc.info/?l=dm-crypt&m=157146906003981&w=2
and
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932437#10

If you want, you can decrease size to be even smaller than LUKS1.

> 
>  From what I understand, the keyslots themselves only use up 4KB of
> space, and the rest is used for "antiforensic stripes".
> 
> This is probably a good idea when LUKS header is stored on disk together
> with the cryptsetup partition.
> 
> But when using detached header, which is never stored on disk, this
> makes less sense
> 
> Thus my question:
> 
> is it possible, somehow, to reduce the size of the LUKS header to
> absolute minimum (4KB ?), when I don't need the antiforensic stripes ?

AF is mandatory and must be there, but you can allocate only absolute minimum
for the LUKS2 whole header (for example only area for 1 keyslot), if you do not need other features.

Please see linka above.

If you need smaller header, do not use LUKS, but even VeraCrypt aligns header
to 128k - despite the using only the firsrt sector.
There is more magic than AF related, alignment on storage for example.

Thanks,
Milan