[dm-crypt] list of supported encryption options for LUKS

Milan Broz gmazyland at gmail.com
Sun Sep 7 18:59:21 CEST 2014


On 09/07/2014 06:15 PM, .. ink .. wrote:
> 
> The most requested feature in my project zuluCrypt has been to have an option
> to set encryption options when creating a volume and i have decided to implement it
> after just receiving another feature request.
> 
> "cryptsetup benchmark" mentions a few different combinations and i am wondering if
> these combinations are the only ones supported or if there are more supported combinations.

These are just common and widely used. (I selected AES finalist mainly to
compare speed on particular machine.)

You can use and test anything what kernel provides but you have to know key size etc
(IIRC for blockiphers kernel supports more options including e.g. camelia, cast,
blowfish, ... Dito for block modes. See for example tcrypt tests which tests all
Truecrypt historic images, there are more ciphers.)

But from my experience, I am against providing too many easy available options
for non-expert users.
(Sadly, cryptsetup already requires user to fiddle with too many options sometimes.)

Security experts know how to switch it if needed (and it will be always possible)
but simple list box containing all possible variants will not help anything.

People tend to experiment without thinking about security (and even practical) consequences. 
("I read SHA1 is insecure so I used whirpool everywhere." Recent story...)

If you are able to provide some comment to options (TrueCrypt tried to do that)
it can be better, at least someone read it and decides according to comment.

But I still think that there should be only few strong predefined combinations.

Why the users want to change default?
What's the real problem - cipher speed or they do not trust NIS and NSA or ...
they just want more knobs because more knobs means more security :-) ?

Milan


More information about the dm-crypt mailing list