diff --git a/internal/rbd/controllerserver.go b/internal/rbd/controllerserver.go
index 3b6c58d06a9..e131d5a4103 100644
--- a/internal/rbd/controllerserver.go
+++ b/internal/rbd/controllerserver.go
@@ -1627,6 +1627,10 @@ func (cs *ControllerServer) ControllerExpandVolume(
 		}
 	}
 
+	if rbdVol.isBlockEncrypted() {
+		rbdVol.VolSize -= util.GetLuksHeaderSize()
+	}
+
 	return &csi.ControllerExpandVolumeResponse{
 		CapacityBytes:         rbdVol.VolSize,
 		NodeExpansionRequired: nodeExpansion,
diff --git a/internal/rbd/rbd_util.go b/internal/rbd/rbd_util.go
index 7b37a70eb61..21150daa4dc 100644
--- a/internal/rbd/rbd_util.go
+++ b/internal/rbd/rbd_util.go
@@ -443,8 +443,12 @@ func createImage(ctx context.Context, pOpts *rbdVolume, cr *util.Credentials) er
 		return fmt.Errorf("failed to get IOContext: %w", err)
 	}
 
-	err = librbd.CreateImage(pOpts.ioctx, pOpts.RbdImageName,
-		uint64(util.RoundOffVolSize(pOpts.VolSize)*helpers.MiB), options)
+	size := uint64(util.RoundOffVolSize(pOpts.VolSize) * helpers.MiB)
+	if pOpts.isBlockEncrypted() {
+		size += uint64(util.GetLuksHeaderSize())
+	}
+
+	err = librbd.CreateImage(pOpts.ioctx, pOpts.RbdImageName, size, options)
 	if err != nil {
 		return fmt.Errorf("failed to create rbd image: %w", err)
 	}
@@ -1846,7 +1850,12 @@ func (ri *rbdImage) resize(newSize int64) error {
 	}
 	defer image.Close()
 
-	err = image.Resize(uint64(util.RoundOffVolSize(newSize) * helpers.MiB))
+	size := uint64(util.RoundOffVolSize(newSize) * helpers.MiB)
+	if ri.isBlockEncrypted() {
+		size += uint64(util.GetLuksHeaderSize())
+	}
+
+	err = image.Resize(size)
 	if err != nil {
 		return err
 	}
diff --git a/internal/util/cryptsetup.go b/internal/util/cryptsetup.go
index e5669b42533..8fcd3185578 100644
--- a/internal/util/cryptsetup.go
+++ b/internal/util/cryptsetup.go
@@ -22,10 +22,22 @@ import (
 	"os/exec"
 	"strconv"
 	"strings"
+
+	"k8s.io/cloud-provider/volume/helpers"
 )
 
 // Limit memory used by Argon2i PBKDF to 32 MiB.
-const cryptsetupPBKDFMemoryLimit = 32 << 10 // 32768 KiB
+const (
+	cryptsetupPBKDFMemoryLimit = 32 << 10 // 32768 KiB
+	luks2MetadataSize          = 32 << 7  // 4096 KiB
+	luks2KeySlotsSize          = 32 << 8  // 8192 KiB
+)
+
+func GetLuksHeaderSize() int64 {
+	size := int64((((2 * luks2MetadataSize) + luks2KeySlotsSize) * helpers.KiB))
+
+	return size
+}
 
 // LuksFormat sets up volume as an encrypted LUKS partition.
 func LuksFormat(devicePath, passphrase string) (string, string, error) {
@@ -37,6 +49,10 @@ func LuksFormat(devicePath, passphrase string) (string, string, error) {
 		"luks2",
 		"--hash",
 		"sha256",
+		"--luks2-metadata-size",
+		strconv.Itoa(luks2MetadataSize)+"k",
+		"--luks2-keyslots-size",
+		strconv.Itoa(luks2KeySlotsSize)+"k",
 		"--pbkdf-memory",
 		strconv.Itoa(cryptsetupPBKDFMemoryLimit),
 		devicePath,