From cc001965399ce3ac66c9f854e6e776aa16ff6906 Mon Sep 17 00:00:00 2001 From: Rusty Bird Date: Fri, 20 Dec 2024 19:29:36 +0000 Subject: [PATCH 1/3] luksFormat: add --sector-size=512 argument --- user/advanced-topics/secondary-storage.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/user/advanced-topics/secondary-storage.md b/user/advanced-topics/secondary-storage.md index 24d97e2c..391e3059 100644 --- a/user/advanced-topics/secondary-storage.md +++ b/user/advanced-topics/secondary-storage.md @@ -65,10 +65,12 @@ In theory, you can still use file-based disk images ("file" pool driver), but it Assuming the secondary hard disk is at /dev/sdb (it will be completely erased), you can set it up for encryption by doing in a dom0 terminal (use the same passphrase as the main Qubes disk to avoid a second password prompt at boot): ``` -sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sdb +sudo cryptsetup luksFormat --sector-size=512 --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sdb sudo blkid /dev/sdb ``` +(The `--sector-size=512` argument can sometimes work around an incompatibility of storage hardware with LVM thin pools on Qubes. If this does not apply to your hardware, the argument will make no difference.) + Note the device's UUID (in this example "b209..."), we will use it as its luks name for auto-mounting at boot, by doing: ``` From 4fb0f0c851a44aeecd0778bca3c9babeebc79ec6 Mon Sep 17 00:00:00 2001 From: Rusty Bird Date: Fri, 20 Dec 2024 19:29:37 +0000 Subject: [PATCH 2/3] luksFormat: drop arguments that are already the default --- user/advanced-topics/secondary-storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user/advanced-topics/secondary-storage.md b/user/advanced-topics/secondary-storage.md index 391e3059..3e2e8cf9 100644 --- a/user/advanced-topics/secondary-storage.md +++ b/user/advanced-topics/secondary-storage.md @@ -65,7 +65,7 @@ In theory, you can still use file-based disk images ("file" pool driver), but it Assuming the secondary hard disk is at /dev/sdb (it will be completely erased), you can set it up for encryption by doing in a dom0 terminal (use the same passphrase as the main Qubes disk to avoid a second password prompt at boot): ``` -sudo cryptsetup luksFormat --sector-size=512 --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sdb +sudo cryptsetup luksFormat --sector-size=512 --hash=sha512 /dev/sdb sudo blkid /dev/sdb ``` From 65e0511d1521be509a5226296ce9912b39d2eac8 Mon Sep 17 00:00:00 2001 From: Rusty Bird Date: Fri, 20 Dec 2024 19:29:38 +0000 Subject: [PATCH 3/3] luksFormat: drop --hash=sha512 argument The default (sha256) seems fine for LUKS2 where the hash algorithm has a limited role anyway - it's not used for key stretching like in LUKS1. --- user/advanced-topics/secondary-storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user/advanced-topics/secondary-storage.md b/user/advanced-topics/secondary-storage.md index 3e2e8cf9..d541c3c3 100644 --- a/user/advanced-topics/secondary-storage.md +++ b/user/advanced-topics/secondary-storage.md @@ -65,7 +65,7 @@ In theory, you can still use file-based disk images ("file" pool driver), but it Assuming the secondary hard disk is at /dev/sdb (it will be completely erased), you can set it up for encryption by doing in a dom0 terminal (use the same passphrase as the main Qubes disk to avoid a second password prompt at boot): ``` -sudo cryptsetup luksFormat --sector-size=512 --hash=sha512 /dev/sdb +sudo cryptsetup luksFormat --sector-size=512 /dev/sdb sudo blkid /dev/sdb ```