clarify some options
Hey.
Could you please clarify some options:
-
--keyslot-cipher // --keyslot-key-size It seems --keyslot-key-size must be identical to the --key-size (otherwise I get an error, or is this a bug). Either please document that, or give a better error message.
-
The 2.1 release notes contained a warning that the above options and --luks2-metadata-size=BYTES and --luks2-keyslots-size=BYTES should not be used... is there any special reason for that strong warning against? It's not mentioned in the manpage, and to me it seems (while strange) perfectly fine to use e.g. aes-xts-plain for the data but serpent-xts-plain for the keyslot.
-
--integrity-recalculate "Automatically recalculate integrity tags in kernel on activation. The device can be used during automatic integrity recalculation but becomes fully integrity protected only after the background operation is finished. This option is available since the Linux kernel version 4.19."
Maybe I'm just not smart enough, but to me it's absolutely unclear what this actually does... I assume activation is "opening" the device, i.e. if that option would already exist in the AEAD/LUKS case it would mean, one needs a key for the recalculation to happen. But what is this used for? Is it like a lazy parity-RAID initialisation, e.g. the integrity information is built up for the whole device in the background + for any sectors as soon as they're read (regardless of their current content... i.e. there would be no wiping of these areas)? Or is it like a "repair" when some blocks do no longer match their integrity information... like "signing" the data, regardless of what it actually is? Does it imply --no-wipe? What if one aborts the process (i.e. stops the device before recalc has been finished?
Thanks, Chris.