[dm-crypt] Efficacy of xts over 1TB

Milan Broz mbroz at redhat.com
Sun Jul 25 14:25:32 CEST 2010


On 07/25/2010 12:34 PM, Arno Wagner wrote:
> This would be a reason to stay away from XTS, something may have
> been subtly messed up.
> 
> As a side note, the XTS spec seems to be behind a IEEE paywall, which 
> would be another reason not to use it, public standards need to be
> accessible for free.

You should then suggest not use hardisks and storage technologies too
because most of standards are not accesible for free:-)
</joke>

Seriously, XTS-AES is FIPS140-2 approved and I see no problem to use it.
Also read
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/XTS/follow-up_XTS_comments-Ball.pdf

Yes, final version is not available but draft specification is still there
(this is IEEE business, not hiding algorithm definition IMHO).

Just please note one thing, which is dm-crypt special here:

default "plain IV" is 32 bit only, so if anyone uses it on >2TB partition
some sectors shares IV (IV generator restarts, opening it to to watermarking
and similar attacks).

Please _always_ use plain64 (*aes-xts-plain64*) if you want use it for large
devices. (plain64 produces the same IV for <2TB.
Available since 2.6.33, Truecrypt 7 already does that, thanks:-)

Milan


More information about the dm-crypt mailing list