alignment is not recomended.
That said, with default parameters, the data area starts at
- exactly 2MB offset (at 0x101000 for crptsetup versions before 1.3).
- The smallest data area you can have is one sector of 512 bytes.
- Data areas of 0 bytes can be created, but fail on mapping.
+ exactly 2MB offset (at 0x101000 for cryptsetup versions before
+ 1.3). The smallest data area you can have is one sector of 512
+ bytes. Data areas of 0 bytes can be created, but fail on mapping.
While you cannot put a filesystem into something this small, it may
- still be used to contain, for eamcple, key. Note that with current
+ still be used to contain, for example, key. Note that with current
formatting tools, a partition for a container this size will be
3MiB anyways. If you put the LUKS container into a file (via
losetup and a loopback device), the file needs to be 2097664 bytes
in size, i.e. 2MiB + 512B.
- The two ways to influence the start of the data area are key-size
+ There two ways to influence the start of the data area are key-size
and alignment.
For alignment, you can go down to 1 on the parameter. This will
still leave you with a data-area starting at 0x101000, i.e.
1MiB+4096B (default parameters) as alignment will be rounded up to
- the next multiple of 8 (i.e. 4096 bytes) (TODO: need to verify
- this).
+ the next multiple of 8 (i.e. 4096 bytes) If in doubt, do a dry-run
+ on a larger file and dump the LUKS header to get actual
+ information.
For key-size, you can use 128 bit (e.g. AES-128 with CBC), 256 bit
(e.g. AES-256 with CBC) or 512 bit (e.g. AES-256 with XTS mode).
- You can do 64 bit (e.g. blofish-64 with CBC), but anything below
+ You can do 64 bit (e.g. blowfish-64 with CBC), but anything below
128 bit has to be considered insecure today.
Example 1 - AES 128 bit with CBC: