From 0d766c586846528a967acf4d0c67e4d2485539fe Mon Sep 17 00:00:00 2001 From: Arno Wagner Date: Fri, 20 Jan 2012 12:58:28 +0000 Subject: [PATCH] fixed some typos. git-svn-id: https://cryptsetup.googlecode.com/svn/trunk@708 36d66b0a-2a48-0410-832c-cd162a569da5 --- FAQ | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/FAQ b/FAQ index 6ed5cfc..661c7d6 100644 --- a/FAQ +++ b/FAQ @@ -1244,29 +1244,30 @@ http://code.google.com/p/cryptsetup/source/browse/trunk/misc/luks-header-from-ac alignment is not recomended. That said, with default parameters, the data area starts at - exactly 2MB offset (at 0x101000 for crptsetup versions before 1.3). - The smallest data area you can have is one sector of 512 bytes. - Data areas of 0 bytes can be created, but fail on mapping. + exactly 2MB offset (at 0x101000 for cryptsetup versions before + 1.3). The smallest data area you can have is one sector of 512 + bytes. Data areas of 0 bytes can be created, but fail on mapping. While you cannot put a filesystem into something this small, it may - still be used to contain, for eamcple, key. Note that with current + still be used to contain, for example, key. Note that with current formatting tools, a partition for a container this size will be 3MiB anyways. If you put the LUKS container into a file (via losetup and a loopback device), the file needs to be 2097664 bytes in size, i.e. 2MiB + 512B. - The two ways to influence the start of the data area are key-size + There two ways to influence the start of the data area are key-size and alignment. For alignment, you can go down to 1 on the parameter. This will still leave you with a data-area starting at 0x101000, i.e. 1MiB+4096B (default parameters) as alignment will be rounded up to - the next multiple of 8 (i.e. 4096 bytes) (TODO: need to verify - this). + the next multiple of 8 (i.e. 4096 bytes) If in doubt, do a dry-run + on a larger file and dump the LUKS header to get actual + information. For key-size, you can use 128 bit (e.g. AES-128 with CBC), 256 bit (e.g. AES-256 with CBC) or 512 bit (e.g. AES-256 with XTS mode). - You can do 64 bit (e.g. blofish-64 with CBC), but anything below + You can do 64 bit (e.g. blowfish-64 with CBC), but anything below 128 bit has to be considered insecure today. Example 1 - AES 128 bit with CBC: -- 2.7.4