[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Advice on encrypted filesystem

On Fri, Jun 26, 2020 at 02:06:57PM -0500, David Wright wrote:
Agreed. But I wouldn't be writing any sensitive information to an SSD
in the first place without encrypting it. (Not that I own any yet.)

SSDs are more common than not in new computers so it's probably best to assume that people reading stuff like this might be trying to apply it to an SSD.

> # cryptsetup --align-payload 2048 luksFormat /dev/sdz9

I also would not add this align-payload option. (If you don't,
cryptsetup will query the kernel for optimal parameters.)

You're right, but the problem comes when the kernel feeds LUKS a value
that it isn't designed to handle correctly. As elsewhere on my systems,
I tend to gravitate towards recipes/solutions that I can use across
all of them, rather than having to deal with lots of exceptions.

Well, the problem is that magic numbers get cargo culted without knowing why they are there or whether they're the right number, and eventually they aren't.

Per the manual:
WARNING: This option is DEPRECATED and has often unexpected impact to the data offset and keyslot area size (for LUKS2) due to the complex rounding.

The best option IMO (especially for crypto related stuff) is to stick with the defaults and deal with exceptions if they come up rather than blindly carry forward things that were once necessary on some configuration sometime. If you want to be complete you might reference a past issue so someone can deal with it if it arises, but it shouldn't be the starting point.

In this case, it's the "Optimal transfer size" which catches it out, when the commonly occurring value of 33553920 bytes is received. In plain speaking, that's 512*(2**16-1); which might be fine for the kernel transferring over USB with 32MB buffers, but unfortunately isn't actually divisible by 2048.

In this case, the kernel was updated to ignore transfer sizes which aren't a multiple of the drive's physical sector size because some drives were reporting seemingly bogus values. Hardcoding a workaround for older kernels means not taking advantage of the fix on newer kernels.

Reply to: