From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mbroz@redhat.com>
Received: from localhost (localhost [127.0.0.1])
	by mail.saout.de (Postfix) with ESMTP id 3CEF09184
	for <dm-crypt@saout.de>; Tue,  4 Aug 2009 09:42:20 +0200 (CEST)
Received: from mail.saout.de ([127.0.0.1])
	by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id dV3EAruIUG8B for <dm-crypt@saout.de>;
	Tue,  4 Aug 2009 09:42:15 +0200 (CEST)
Received: from mx2.redhat.com (mx2.redhat.com [66.187.237.31])
	by mail.saout.de (Postfix) with ESMTP
	for <dm-crypt@saout.de>; Tue,  4 Aug 2009 09:42:14 +0200 (CEST)
Received: from int-mx2.corp.redhat.com (int-mx2.corp.redhat.com [172.16.27.26])
	by mx2.redhat.com (8.13.8/8.13.8) with ESMTP id n747gDpH016651
	for <dm-crypt@saout.de>; Tue, 4 Aug 2009 03:42:13 -0400
Received: from ns3.rdu.redhat.com (ns3.rdu.redhat.com [10.11.255.199])
	by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n747gCW4010751
	for <dm-crypt@saout.de>; Tue, 4 Aug 2009 03:42:13 -0400
Received: from [10.34.32.183] (mazybook.englab.brq.redhat.com [10.34.32.183])
	by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id n747gBvw008712
	for <dm-crypt@saout.de>; Tue, 4 Aug 2009 03:42:12 -0400
Message-ID: <4A77E654.5000606@redhat.com>
Date: Tue, 04 Aug 2009 09:42:12 +0200
From: Milan Broz <mbroz@redhat.com>
MIME-Version: 1.0
References: <20090803125342.CF87216440B5@mail.absint.com>
	<20090803234824.190ea23a@gmail.com>
In-Reply-To: <20090803234824.190ea23a@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] 1,5 TB partition: use cbc-essiv or xts-plain?
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

Moji wrote:

> This includes newer ciphers because the more data you encrypt with a single key,
> and right now dm-crypt only allows for single keys, the more susceptible your algorithm
> is regardless which one you use.

Just small note: dm-crypt (kernel part) have one key per mapped segment,
you can create as many segments with different keys (even with different algorithms)
(imagine simple Logical Volume in LVM split over several areas of disk -
the same logic can be used for crypt segments.)

Another option is stacking - create several encrypted devices and and
map another volume(s) over it (LVM over LUKS is exactly that).

Only userspace (cryptsetup) is not able to configure it easily - you have to use
dmsetup directly (or stack LVM/MD over several LUKS devices).

Milan
--
mbroz@redhat.com