[dm-crypt] Efficacy of xts over 1TB
arno at wagner.name
Mon Jul 26 23:45:16 CEST 2010
On Mon, Jul 26, 2010 at 11:31:56PM +0200, Christoph Anton Mitterer wrote:
> On Mon, 2010-07-26 at 23:07 +0200, Arno Wagner wrote:
> > > So you guess the the 1TB limit could be actually a "don't have blocks
> > > larger than 1TB" limit?!
> > Actually, it is the "plain" implementation that causes a 2TB limit
> > because of repeating IVs. XTS has a block size limit, at 2^20 bits,
> > (I think) but it is a recommended limit. As 512 bytes we are well
> > below that :-)
> So you mean we have two limits?
Yes. One on the block number and one on the block size.
> 1) The limit related to the IVs that we get from "plain" after 32bit 512
> byte blocks, or that we would get from plain64 on a Zettabyte device.
That is IV limit, i.e. the limit on the block numbers.
> 2) Another limit, on the maximum block size (which was misconceived as a
> maximum filesystem size) that can be securely used which is that 1TB
> However we should never hit that one too?!
That is the size for the individual blocks encrypted. For
dm-crypt/LUKS we use 512 byte blocks, but XTS can do much larger.
However beyond a certain block size it security is suspected to
degrade. I looked the limits up again, the hard limit is
(2^128)-2 x 128 bit blocks. If I understand this correctly
exceeding this limit breaks the cipher. Then there is the
soft limit of 2^20 x 128 bit, i.e. 16MB block size. The block
size should be kept below that and 512B is well below it.
I do not know of any 1TB limit.
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
More information about the dm-crypt