When setting up LUKS2 using an AEAD mode on a large disk (5+TB), it can take well over a day to add an authentication tag to every block, especially given the slower nature of AEAD algorithms (for now). I’ve been thinking about how to defer / amortize this cost. So far, what I’ve come up with is to:
# Setup LUKS2 and skip the AEAD initialization step cryptsetup ... --integity-no-wipe cryptsetyp open ... # Create a sparse file as large as the luks device (but which uses essentially no disk space) truncate -r $ device tmpfile # Create a filesystem in this sparse image file, which might use a few gigs of space # (Using `mkfs.ext4` directly on the LUKS device does not work because the tool # does not always write in native block-sized units.) mkfs.ext4 tmpfile # Use dd to write only the non-sparse portions of this file to the luks device # Use the native block size so that data is never read from the uninitialized device dd if=tmpfile of=$ device conv=sparse bs=4096
This nearly worked. Although writing the file with
dd did not produce any errors, I did run
e2fsck -f after the
dd but before mounting and it did find issues. Thankfully, it wrote out the block numbers where it found errors. I then used a for loop and
dd seek=... to zero-out those blocks.
Finally, after running through the above procedure, I re-ran
mkfs.ext4. This time directly on the luks block device because I knew all the relevant blocks were initialized. This worked without and error. I could not mount the fileystem and begin using it, which will initialize blocks as ext writes them. I can fill the remaining free space with
/dev/zero at my leisure by writing out a large file.
Although it worked, this seems a bit ad-hoc and I couldn’t imagine scripting this.