[dm-crypt] Switch to XTS mode for LUKS in cryptsetup in 1.6.0 (Was Re: [ANNOUNCE] cryptsetup 1.6.0-rc1)

Milan Broz gmazyland at gmail.com
Fri Jan 4 13:18:33 CET 2013

On 01/04/2013 12:53 PM, Ralf Ramsauer wrote:
> On 01/04/13 12:50, Milan Broz wrote:
>> On 12/29/2012 10:40 PM, Milan Broz wrote:
>>> The testing release candidate cryptsetup 1.6.0-rc1 is available at
>>>    http://code.google.com/p/cryptsetup/
>>> Feedback and bug reports are welcomed.
>>> Cryptsetup 1.6.0 Release Notes (RC1)
>> I am going to do one more important change to final 1.6.0:
>> change LUKS _default_ cipher to aes-xts-plain64 with 512bits key.
> 512bits Key?
>> Most of recent disk encryption systems switched already to XTS mode,
>> also it is preferred by standards (and we are using it for very long
>> time in Fedora/RHEL during installations.)
>> Distro maintainers can always overwrite this during compilation time,
>> and user can use -c aes-cbc-essiv:sha256 -s 256 to old mode always.

> You mean 256bits, don't you?

For XTS? No, I meant 512.

XTS uses 2 keys (for tweak and encryption). So with AES and 512bits
we will use 2 x AES-256 in fact.
But yes, question is if AES-128 (IOW 2x128 = 256 bits) is not enough here.

(With all know analysis to AES256 I still think it is better
to prefer it to AES128.
But not 100% sure if any problems I missed, that's why I sent this mail :-)

XTS mode has some problems too but I am fairly sure it s still better than
CBC today (as default). People who exactly know what they are doing can
always switch the cipher during format time.
(Or later change it with reencrypt tool).

For people (like me :) who have no easy access to final IEEE documents, here is the
XTS draft which is enough to understand XTS block mode.

More information about the dm-crypt mailing list