[dm-crypt] Cryptsetup FAQ, monthly posting 11/2011

Philipp Wendler ml at philippwendler.de
Tue Nov 1 13:39:27 CET 2011


Hi,

Am 01.11.2011 05:50, schrieb Arno Wagner:

>  * Are there any problems with "plain" IV? What is "plain64"?
> 
>   First, "plain" and "plain64" are both not secure to use with CBC,
>   see previous FAQ item.
> 
>   However there are modes, like XTS, that are secure with "plain" IV.
>   The next limit is that "plain" is 64 bit, with the upper 32 bit set
>   to zero. This means that on volumes larger than 2TiB, the IV
>   repeats, creating a vulnerability that potentially leaks some
>   data. To avoid this, use "plain64", which uses the full sector
>   number up to 64 bit. Note that "plain64" requires a kernel >=
>   2.6.33. Also note that "plain64" is backwards compatible for
>   volume sizes <= 2TiB, but not for those > 2TiB. Finally, "plain64"
>   does not cause any performance penalty compared to "plain".

Wouldn't it be nice for cryptsetup to print a warning when someone is
going to create a luks device >2TiB with "plain" IV (e.g.,
aes-xts-plain)? A note in the man page would also be nice (where it
mentions aes-xts-plain).
Or perhaps cryptsetup should automatically select plain64 in such a
case? According to the description above there seems to be absolutely no
drawback in using plain64, so why not use it?

I, for example, have read this section of the FAQ only after creating
and filling my luks partition. Now I have to re-create everything, which
will take several hours.

Greetings, Philipp


More information about the dm-crypt mailing list