| 1 |
On 07/06/2020 12:52, Victor Ivanov wrote: |
| 2 |
> Indeed. I second Rich and too would recommend sticking with AES for this |
| 3 |
> reason. LUKS will support an AES key of up to 512 bits. It's fast and |
| 4 |
> hardware acceleration is widely available. |
| 5 |
> ... |
| 6 |
> For example, Intel's native AES extensions work in 4x4 data blocks of |
| 7 |
> 128 bits but will support variable key lengths. Their white paper [3] |
| 8 |
> suggests supported key lengths are 128, 192, and 256 bits but I've been |
| 9 |
> using a 512 bit key on my drives for years with negligible performance |
| 10 |
> impact (Skylake systems). |
| 11 |
|
| 12 |
Perhaps this requires extra clarification re key length, which I should |
| 13 |
have included, as it may give misleading information. |
| 14 |
|
| 15 |
As an algorithm AES fundamentally only goes up to 256 bits for key |
| 16 |
length. However, in XTS mode (aes-xts) two _separate_ keys are used for |
| 17 |
the initialisation vector and the block encryption. As such, for AES-256 |
| 18 |
in XTS mode, one needs to supply 2x256b keys. |
| 19 |
|
| 20 |
Effectively, 512b are used, but this too may be misleading. It's better |
| 21 |
than 1x256b but certainly not as good as 1x512: (2^256 + 2^256) vs |
| 22 |
2^512. It also maps well to hardware extensions already supporting key |
| 23 |
sizes of 256b. |
| 24 |
|
| 25 |
This is not possible in CBC or GCM mode which only allows for a single |
| 26 |
key of up to 256b. |
| 27 |
|
| 28 |
My apologies, it was a case of my fingers getting ahead of my thoughts |
| 29 |
and not having formulating the latter appropriately. |
| 30 |
|
| 31 |
Regards, |
| 32 |
Victor |
Archives