On 07/06/2020 12:52, Victor Ivanov wrote: > Indeed. I second Rich and too would recommend sticking with AES for this > reason. LUKS will support an AES key of up to 512 bits. It's fast and > hardware acceleration is widely available. > ... > For example, Intel's native AES extensions work in 4x4 data blocks of > 128 bits but will support variable key lengths. Their white paper [3] > suggests supported key lengths are 128, 192, and 256 bits but I've been > using a 512 bit key on my drives for years with negligible performance > impact (Skylake systems).
Perhaps this requires extra clarification re key length, which I should have included, as it may give misleading information. As an algorithm AES fundamentally only goes up to 256 bits for key length. However, in XTS mode (aes-xts) two _separate_ keys are used for the initialisation vector and the block encryption. As such, for AES-256 in XTS mode, one needs to supply 2x256b keys. Effectively, 512b are used, but this too may be misleading. It's better than 1x256b but certainly not as good as 1x512: (2^256 + 2^256) vs 2^512. It also maps well to hardware extensions already supporting key sizes of 256b. This is not possible in CBC or GCM mode which only allows for a single key of up to 256b. My apologies, it was a case of my fingers getting ahead of my thoughts and not having formulating the latter appropriately. Regards, Victor
signature.asc
Description: OpenPGP digital signature
