Re: [dm-crypt] 1,5 TB partition: use cbc-essiv or xts-plain?

[Heinz Diehl <htd@fancy-poultry.org>]

On 03.08.2009, Henrik Theiling wrote: 

> In this particular case: for a 1,5 TB partition, should I use
> cbc-essiv or xts-plain?

Encryption is only one piece in the security chain. You didn't even
tell us _why_ you want to have your data encrypted.

> It seems cbc-essiv is susceptible to watermarking (according to
> Wikipedia, which claims that no IV obfuscation algorithm protects
> against this except in the initial block.  Unfortunately, I cannot
> verify this, so it sounds bad to me.

ESSIV has been develop to address this problem and is not prone to
watermarking. The developer of ESSIV is here on the list, and maybe 
you're lucky and he will explain this a little bit closer to you.

> And then, xts-plain is said to become weaker on large disks, and some
> crypto implementations warn about this weakness for disks as small as
> 500GB.  So what's the alternative?

So they who has raised these claims you described above didn't provide an
explanation for their statements? 

> I don't seem to be able to make a decision on my own, so I'd like to
> ask for help.

We shall decide for you? That's generally a bad idea. There's only one
person with the whole knowledge, and that's you. I don't know why you want
to have your harddisk encrypted, what kind of data you have, how important
they are for yourself and others, how the potentially encrypted harddisk
is secured else, and so on and so on...

> There don't need to be simple answers -- I am willing to evaluate my
> problem thoroughly, but so far I found no good comparison.

You can take a look at dm-crypt.c to find out what methods of IV generation
are supported by LUKS/dmcrypt.

Don't know if this helps, I encrypted my Laptop (which carries a lot of
private data, e.g. the password to my online bank account) using

 -c twofish-cbc-essiv:sha256 

in case it gets lost or stolen, to prevent the thieves from getting access
to my money. I decided to use just this algorithm because I did some benchmarking
and it performed best (the major drag on a Laptop is the slow harddisk). 

A lot of distributions also use "-c aes-xts-benbi:sha256".