Revision as of 12:03, 24 June 2021

Optimal LUKS Encryption Sector Size

Summary

Autodetect optimal encryption sector size during Fedora installation with LUKS/dm-crypt encryption. On devices with 4K (physical) sector size this will

Owner

Name: Ondrej Kozina, Vojtech Trefny
Email: okozina AT redhat.com, vtrefny AT redhat.com

Current status

Targeted release: Fedora Linux 35
Last updated: 2021-06-24
FESCo issue: <will be assigned by the Wrangler>
Tracker bug: <will be assigned by the Wrangler>
Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Anaconda (libraries Anaconda uses for storage configuration) currently sets sector size for LUKS devices to 512 regardless of actual physical sector size of the underlying disk device. Latest cryptsetup release added an option to let cryptsetup automatically detect the optimal sector size based on the (physical) sector size of the backing device. By using this new option we can make sure that Anaconda uses the optimal sector size for newly created LUKS devices during installation. This means we will use sector size of 4096 for devices with 4k physical sector size increasing IO performance with these devices.

Feedback

Benefit to Fedora

Scope

Proposal owners: Changes for both cryptsetup and libblockdev (low level storage library used by Anaconda) are already merged (cryptsetup) or submitted (libblockdev) upstream. We only need to package new versions of these two projects for Fedora 35.

Other developers: No work from other developers is needed.

Release engineering: #Releng issue number

Policies and guidelines: N/A (not needed for this Change)

Trademark approval: N/A (not needed for this Change)

Alignment with Objectives:

Upgrade/compatibility impact

Upgraded systems will not be affected by this change, this affects only new LUKS containers created during Fedora installation.

How To Test

Disk with 4k physical sectors is required for testing this change. You can check block size of your drive using blockdev from util-linux package:

  # blockdev --getpbsz /dev/nvme0n1 
  4096

This can be also tested in a virtual machine. You can configure any disk to appear as a 4k block size disk in libvirt by adding following option to the disk XML specification:

  <blockio logical_block_size="4096" physical_block_size="4096"/>

Install Fedora with disk encryption enabled. Using automatic partition with Encrypt my data enabled is enough for testing.

In the installed system use cryptsetup luksDump /dev/<device> to check that correct sector size was selected for your device (4096 for disks with 4096 physical sector size):

  # cryptsetup luksDump /dev/nvme0n1p1 
  LUKS header information
  Version:        2
  ...
  Data segments:
    0: crypt
          offset: 16777216 [bytes]
          length: (whole device)
          cipher: aes-xts-plain64
          sector: 4096 [bytes]

User Experience

Dependencies

None.

Contingency Plan

Contingency mechanism: Keep existing behaviour (512 sector size for all devices)
Contingency deadline: Beta Freeze
Blocks release? No

Documentation

Release Notes

@@ Line 1: / Line 1: @@
-{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.<br/> '''Copy the source to a ''new page'' before making changes!  DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.'''}}
-{{admon/tip | Guidance | For details on how to fill out this form, see the [https://docs.fedoraproject.org/en-US/program_management/changes_guide/ documentation].}}
-<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
 = Optimal LUKS Encryption Sector Size =
 <!-- The name of your change proposal -->

Search

Changes/LUKSEncryptionSectorSize: Difference between revisions