[dm-crypt] Efficacy of xts over 1TB

Arno Wagner arno at wagner.name
Mon Jul 26 23:45:16 CEST 2010

On Mon, Jul 26, 2010 at 11:31:56PM +0200, Christoph Anton Mitterer wrote:
> On Mon, 2010-07-26 at 23:07 +0200, Arno Wagner wrote:
> > > So you guess the the 1TB limit could be actually a "don't have blocks
> > > larger than 1TB" limit?!
> > Actually, it is the "plain" implementation that causes a 2TB limit 
> > because of repeating IVs. XTS has a block size limit, at 2^20 bits, 
> > (I think) but it is a recommended limit. As 512 bytes we are well 
> > below that :-)
> So you mean we have two limits?

Yes. One on the block number and one on the block size.
> 1) The limit related to the IVs that we get from "plain" after 32bit 512
> byte blocks, or that we would get from plain64 on a Zettabyte device.

That is IV limit, i.e. the limit on the block numbers.

> 2) Another limit, on the maximum block size (which was misconceived as a
> maximum filesystem size) that can be securely used which is that 1TB
> thingy?
> However we should never hit that one too?!

That is the size for the individual blocks encrypted. For
dm-crypt/LUKS we use 512 byte blocks, but XTS can do much larger.
However beyond a certain block size it security is suspected to 
degrade. I looked the limits up again, the hard limit is 
(2^128)-2 x 128 bit blocks. If I understand this correctly 
exceeding this limit breaks the cipher. Then there is the 
soft limit of 2^20 x 128 bit, i.e. 16MB block size. The block
size should be kept below that and 512B is well below it. 

I do not know of any 1TB limit.

Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

More information about the dm-crypt mailing list