[dm-crypt] Switch to XTS mode for LUKS in cryptsetup in 1.6.0 (Was Re: [ANNOUNCE] cryptsetup 1.6.0-rc1)

Arno Wagner arno at wagner.name
Fri Jan 4 17:26:52 CET 2013

On Fri, Jan 04, 2013 at 01:18:33PM +0100, Milan Broz wrote:
> On 01/04/2013 12:53 PM, Ralf Ramsauer wrote:
> > On 01/04/13 12:50, Milan Broz wrote:
> >> On 12/29/2012 10:40 PM, Milan Broz wrote:
> >>> The testing release candidate cryptsetup 1.6.0-rc1 is available at
> >>>
> >>>    http://code.google.com/p/cryptsetup/
> >>>
> >>> Feedback and bug reports are welcomed.
> >>>
> >>> Cryptsetup 1.6.0 Release Notes (RC1)
> >>
> >> I am going to do one more important change to final 1.6.0:
> >> change LUKS _default_ cipher to aes-xts-plain64 with 512bits key.
> > 512bits Key?
> >>
> >> Most of recent disk encryption systems switched already to XTS mode,
> >> also it is preferred by standards (and we are using it for very long
> >> time in Fedora/RHEL during installations.)
> >>
> >> Distro maintainers can always overwrite this during compilation time,
> >> and user can use -c aes-cbc-essiv:sha256 -s 256 to old mode always.
> > You mean 256bits, don't you?
> For XTS? No, I meant 512.
> XTS uses 2 keys (for tweak and encryption). So with AES and 512bits
> we will use 2 x AES-256 in fact.
> But yes, question is if AES-128 (IOW 2x128 = 256 bits) is not enough here.

Lets stay with 512bit. A good rule for key-lengths is to
determine what is very likely secure and then use twice that.
> (With all know analysis to AES256 I still think it is better
> to prefer it to AES128.
> But not 100% sure if any problems I missed, that's why I sent this mail :-)

I think the current state is that in absolute terms AES256 is at 
least as secure than AES128, but maybe not more so. 

> XTS mode has some problems too but I am fairly sure it s still 
> better than CBC today (as default). 

Indeed. And AFAIK the problems are mostly with large blocks
and do not apply to LUKS as the blocka here are only 512 Bytes.

> People who exactly know what they are doing can
> always switch the cipher during format time.
> (Or later change it with reencrypt tool).

And people that do not know what they are doing are 
free to shoot themselves in the foot by fiddeling with
the defaults too!

I think this change is very low-risk. And as it is the
popular choice, it will see more analysis by the crypto-
community, which means earlier warning should it have
real (practical) problems.

> Milan
> p.s.
> For people (like me :) who have no easy access to final IEEE documents, here is the
> XTS draft which is enough to understand XTS block mode.
> http://grouper.ieee.org/groups/1619/email/pdf00086.pdf

Hehe, I think I have looked at this one too.

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell

More information about the dm-crypt mailing list