1 |
On 07/06/2020 12:52, Victor Ivanov wrote: |
2 |
> Indeed. I second Rich and too would recommend sticking with AES for this |
3 |
> reason. LUKS will support an AES key of up to 512 bits. It's fast and |
4 |
> hardware acceleration is widely available. |
5 |
> ... |
6 |
> For example, Intel's native AES extensions work in 4x4 data blocks of |
7 |
> 128 bits but will support variable key lengths. Their white paper [3] |
8 |
> suggests supported key lengths are 128, 192, and 256 bits but I've been |
9 |
> using a 512 bit key on my drives for years with negligible performance |
10 |
> impact (Skylake systems). |
11 |
|
12 |
Perhaps this requires extra clarification re key length, which I should |
13 |
have included, as it may give misleading information. |
14 |
|
15 |
As an algorithm AES fundamentally only goes up to 256 bits for key |
16 |
length. However, in XTS mode (aes-xts) two _separate_ keys are used for |
17 |
the initialisation vector and the block encryption. As such, for AES-256 |
18 |
in XTS mode, one needs to supply 2x256b keys. |
19 |
|
20 |
Effectively, 512b are used, but this too may be misleading. It's better |
21 |
than 1x256b but certainly not as good as 1x512: (2^256 + 2^256) vs |
22 |
2^512. It also maps well to hardware extensions already supporting key |
23 |
sizes of 256b. |
24 |
|
25 |
This is not possible in CBC or GCM mode which only allows for a single |
26 |
key of up to 256b. |
27 |
|
28 |
My apologies, it was a case of my fingers getting ahead of my thoughts |
29 |
and not having formulating the latter appropriately. |
30 |
|
31 |
Regards, |
32 |
Victor |