On Fri, Jun 26, 2020 at 02:06:57PM -0500, David Wright wrote:
Agreed. But I wouldn't be writing any sensitive information to an SSD
in the first place without encrypting it. (Not that I own any yet.)
SSDs are more common than not in new computers so it's probably best to
assume that people reading stuff like this might be trying to apply it
to an SSD.
> # cryptsetup --align-payload 2048 luksFormat /dev/sdz9
I also would not add this align-payload option. (If you don't,
cryptsetup will query the kernel for optimal parameters.)
You're right, but the problem comes when the kernel feeds LUKS a value
that it isn't designed to handle correctly. As elsewhere on my systems,
I tend to gravitate towards recipes/solutions that I can use across
all of them, rather than having to deal with lots of exceptions.
Well, the problem is that magic numbers get cargo culted without knowing
why they are there or whether they're the right number, and eventually
they aren't.
Per the manual:
WARNING: This option is DEPRECATED and has often unexpected impact to
the data offset and keyslot area size (for LUKS2) due to the complex
rounding.
The best option IMO (especially for crypto related stuff) is to stick
with the defaults and deal with exceptions if they come up rather than
blindly carry forward things that were once necessary on some
configuration sometime. If you want to be complete you might reference a
past issue so someone can deal with it if it arises, but it shouldn't be
the starting point.
In this case, it's the "Optimal transfer size" which catches it out,
when the commonly occurring value of 33553920 bytes is received. In
plain speaking, that's 512*(2**16-1); which might be fine for the
kernel transferring over USB with 32MB buffers, but unfortunately
isn't actually divisible by 2048.
In this case, the kernel was updated to ignore transfer sizes which
aren't a multiple of the drive's physical sector size because some
drives were reporting seemingly bogus values. Hardcoding a workaround
for older kernels means not taking advantage of the fix on newer
kernels.
