luks2支持多少個key slot？

luks1 的限制為 8。但我只是不小心將 9 個插槽添加到 luks2（從 0 到 8）。我想知道luks2的限制是多少？

Keyslots:
 0: luks2
       Key:        512 bits
       Priority:   normal
       Cipher:     aes-xts-plain64
       Cipher key: 512 bits
       PBKDF:      argon2i
       Time cost:  5
       Memory:     1048576
       Threads:    4
       Salt:       32 ff 35 1e a2 b5 64 a7 fe f9 6e 7d 12 75 75 d5 
                   a4 e7 47 39 80 96 1d 76 b1 35 b3 77 0a 85 46 ac 
       AF stripes: 4000
       AF hash:    sha256
       Area offset:32768 [bytes]
       Area length:258048 [bytes]
       Digest ID:  0
 1: luks2
       Key:        512 bits
       Priority:   normal
       Cipher:     aes-xts-plain64
       Cipher key: 512 bits
       PBKDF:      argon2i
       Time cost:  5
       Memory:     1048576
       Threads:    4
       Salt:       55 7b 9a 4c d8 53 2b bb 90 af 57 44 67 b5 0c 03 
                   85 a1 5d 70 e4 1e b0 5f 97 1a f3 0e f2 8c dc b2 
       AF stripes: 4000
       AF hash:    sha256
       Area offset:290816 [bytes]
       Area length:258048 [bytes]
       Digest ID:  0
 2: luks2
       Key:        512 bits
       Priority:   normal
       Cipher:     aes-xts-plain64
       Cipher key: 512 bits
       PBKDF:      argon2i
       Time cost:  5
       Memory:     1048576
       Threads:    4
       Salt:       ac 24 09 ca f9 24 52 3d 49 d3 c9 89 63 d0 1d 61 
                   83 4a aa ed 75 a2 39 ec 3f f8 ab 95 5d 0c 49 aa 
       AF stripes: 4000
       AF hash:    sha256
       Area offset:1064960 [bytes]
       Area length:258048 [bytes]
       Digest ID:  0
 3: luks2
       Key:        512 bits
       Priority:   normal
       Cipher:     aes-xts-plain64
       Cipher key: 512 bits
       PBKDF:      argon2i
       Time cost:  5
       Memory:     1048576
       Threads:    4
       Salt:       3d 37 41 20 93 44 55 62 c6 19 fe e0 7d ae 14 0d 
                   67 86 6a 44 5e c8 8a f0 97 01 1d c7 c6 83 02 22 
       AF stripes: 4000
       AF hash:    sha256
       Area offset:1323008 [bytes]
       Area length:258048 [bytes]
       Digest ID:  0
 4: luks2
       Key:        512 bits
       Priority:   normal
       Cipher:     aes-xts-plain64
       Cipher key: 512 bits
       PBKDF:      argon2i
       Time cost:  5
       Memory:     1048576
       Threads:    4
       Salt:       bf 6d a0 15 c9 8e 9b 49 12 84 86 6b 13 93 95 7d 
                   cf cf 8f 3a e2 b7 42 42 4c 59 a1 5c 23 cd e6 1a 
       AF stripes: 4000
       AF hash:    sha256
       Area offset:1581056 [bytes]
       Area length:258048 [bytes]
       Digest ID:  0
 5: luks2
       Key:        512 bits
       Priority:   normal
       Cipher:     aes-xts-plain64
       Cipher key: 512 bits
       PBKDF:      argon2i
       Time cost:  5
       Memory:     1048576
       Threads:    4
       Salt:       bd 76 ae e1 33 d3 7a 83 5b 59 d4 bc 46 17 36 ec 
                   e6 94 a5 b1 85 2d 00 9f a4 ff f4 02 cc b6 ca bc 
       AF stripes: 4000
       AF hash:    sha256
       Area offset:1839104 [bytes]
       Area length:258048 [bytes]
       Digest ID:  0
 6: luks2
       Key:        512 bits
       Priority:   normal
       Cipher:     aes-xts-plain64
       Cipher key: 512 bits
       PBKDF:      argon2i
       Time cost:  5
       Memory:     1048576
       Threads:    4
       Salt:       ab 7f dd e5 2c eb 32 51 97 9a 10 5e 70 75 1e 15 
                   91 35 10 63 f5 8b b6 8c 7a 97 16 40 50 e6 89 fb 
       AF stripes: 4000
       AF hash:    sha256
       Area offset:2097152 [bytes]
       Area length:258048 [bytes]
       Digest ID:  0
 7: luks2
       Key:        512 bits
       Priority:   normal
       Cipher:     aes-xts-plain64
       Cipher key: 512 bits
       PBKDF:      argon2i
       Time cost:  5
       Memory:     1048576
       Threads:    4
       Salt:       aa 02 fd a2 fd 4a ee 84 1a 41 93 58 7a 25 c2 d4 
                   0d 65 bc b4 5b 18 1a 05 4b 0a 81 f7 68 8c 9a 26 
       AF stripes: 4000
       AF hash:    sha256
       Area offset:548864 [bytes]
       Area length:258048 [bytes]
       Digest ID:  0
 8: luks2
       Key:        512 bits
       Priority:   normal
       Cipher:     aes-xts-plain64
       Cipher key: 512 bits
       PBKDF:      argon2i
       Time cost:  5
       Memory:     1048576
       Threads:    4
       Salt:       2b 04 62 29 e2 dc 42 b4 3a 28 8d 46 28 17 05 26 
                   a1 05 86 62 95 8e 50 98 91 67 18 15 71 1c 8a f9 
       AF stripes: 4000
       AF hash:    sha256
       Area offset:806912 [bytes]
       Area length:258048 [bytes]
       Digest ID:  0

對於 LUKS1，它是 8 個鍵槽，固定。

對於 LUKS2，目前最多 32 個鍵槽：

#define LUKS2_KEYSLOTS_MAX       32

嘗試添加更簡單會導致錯誤消息“所有鍵槽已滿。”。

然而，答案可能並不那麼簡單。32 的限制存在於程式碼中，但在LUKS2 On-Disk Format Specification中根本沒有提及。

LUKS2 標頭實際上能夠儲存的不僅僅是 32 個鍵槽。或者它甚至可能無法儲存其中的 8 個。它取決於數據偏移量、鍵槽區域的大小以及每個單獨鍵所需的大小。

對於新格式化的標頭，它預設為較大的數據偏移量，因此您可能很容易獲得 32 個鍵槽。如果您從 LUKS1 轉換（只有 2MiB 數據偏移），它在 8 個鍵槽處沒有變化。如果數據偏移量較小，則可能少於 8 個鍵槽。

使用 1MiB 的數據偏移量，您只能獲得 3 個鍵槽（cryptsetup發出警告）：

# truncate -s 100M foobar.img
# cryptsetup luksFormat --offset=2048 foobar.img
WARNING: keyslots area (1015808 bytes) is very small,
available LUKS2 keyslot count is very limited.
# cryptsetup luksAddKey foobar.img 
# cryptsetup luksAddKey foobar.img 
# cryptsetup luksAddKey foobar.img 
No space for new keyslot.

在這個特定的例子中，只有 3 個 key-slots 可以在 header 用完儲存更多空間之前使用：

# cryptsetup luksDump foobar.img
LUKS header information
Version:        2
Epoch:          5
Metadata area:  16384 [bytes]
Keyslots area:  1015808 [bytes]
[...]
Keyslots:
 0: luks2
   [...]
   Area offset:32768 [bytes]
   Area length:258048 [bytes]
   Digest ID:  0
 1: luks2
   [...]
   Area offset:290816 [bytes]
   Area length:258048 [bytes]
   Digest ID:  0
 2: luks2
   [...]
   Area offset:548864 [bytes]
   Area length:258048 [bytes]
   Digest ID:  0

這裡總可用的鍵槽區域只有 1015808 字節。每個密鑰的大小為 257048 字節。要儲存一個額外的密鑰，至少需要 1032192 個字節，所以在這種特殊情況下它不適合更多的密鑰。

如果您不關心 MiB 對齊，則可以使偏移量更小，只留下一個鍵槽。

引用自：https://unix.stackexchange.com/questions/553691