[dm-crypt] dm-crypt overhead

Lukáš Pohanka numberfour at seznam.cz
Thu Mar 1 22:20:36 CET 2018


thank you very much for a useful and informative answer. I'll have a look
at this.

Maybe I have a one more question: which part requires the 4.12+ kernel?

I'm afraid I'll have to backport the changes if we decide to proceed.

Thanks again,

2018-03-01 18:41 GMT+01:00 Milan Broz <gmazyland at gmail.com>:

> On 03/01/2018 03:59 PM, Lukáš Pohanka wrote:
> > thanks for clarifications. Unfortunately, we are currently
> > constrained to use only dmsetup and cannot provision the target
> > device with cryptsetup. Thus we cannot use LUKS, only plain
> > dm-crypt. Hopefully it will change in the future. However, does this
> > mean there is currently no chance of using any form of authenticated
> > encryption in our case?
> Hi,
> you can use it just with dmsetup, but there are several steps that
> are not obvious (for example formatting dm-integrity device requires
> two steps etc).
> But it is definitely something I would not suggest :-)
> So in general (I intentionally do not want to paste exact commands,
> you have to be sure what you are doing here):
> - you will need recent-enough kernel (4.12+)
> Formatting (only once):
> - prepare block device, wipe first megabytes with zeroes
> - activate dm-integrity device (using dm-setup) with size 8 sectors,
> and with proper parameters (mainly tag size per sector) you need (do not
> use internal hash)
> - deactivate dm-integrity device
> (Steps above will format the device in-kernel, writing integrity
> superblock.)
> Later use (normal activation):
> - activate dm-integrity device with proper data size (read from
> dm-integrity
> superblock). (In future it will be simpler.)
> - activate dm-crypt device with proper parameters above the dm-itegrity
> device
> (with proper authentication mode parameters, tag size, random IV etc)
> - Profit. (Use top-level dm-crypt device as usual.)
> (You should probably overwrite the whole device using direct-io on the
> first
> activation to initialize auth.tags.
> Otherwise any reads, including page cache, will fail on -EILSEQ -
> integrity error.)
> The above is in principle what crypstestup is doing for you.
> Authenticated filesystem is definitely better idea, but because I can
> guess in which environment you are trying to implement
> this I guess it is not an option...
> Milan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20180301/cd88471d/attachment-0001.html>

More information about the dm-crypt mailing list