[dm-crypt] Non-standard cipher mode

Arno Wagner arno at wagner.name
Wed Dec 18 17:13:28 CET 2013

DO NOT EDIT THE HEADER. This will make your LUKS container
inaccessible until you reverse the changes. What you now
have is an aes-xts-plain64:sha512 container. You do not have
ESSIV anywhere in there, XTS is an alternative to CBC-ESSIV.

That said, if you want aother cipher or mode, easiest way is 
to re-create the container. A bit harder and risky without 
backup is to use Milan's reencryption tool.


On Wed, Dec 18, 2013 at 12:45:39 CET, FLD wrote:
> I accidentally created a luks container using option --cipher
> aes-xts-plain64:sha512. Everything seems to be working correctly and
> luksDump shows: "Cipher mode:    xts-plain64:sha512". I wonder if I
> should hexedit the header manually and replace the ":sha512" part with
> nulls since the proper format would be just "xts-plain64" since the
> cipher does not need a hash for the ESSIV?
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare

More information about the dm-crypt mailing list