On Sun, Jul 12, 2009 at 8:17 AM, <Sadako@xxxxxxxxxxxxxxxxx> wrote: > With XTS, If I provide a key in hex to cryptsetup with "-h plain", only > half the key bits seem to be used. > For example, if I specify "-s 256", I get the same results by supplying a > 128-bit key as I do when supplying the expected 256-bit key, I need to > supply a key of less than 128 bits to see any difference. > Same when specifying "-s 512", all key sizes of 256 bits and above yeild > the same result. > It works as expected with CBC, and I'm not so sure about LRW. XTS requires two keys, eg: if you specify 256bit then each key will be 128bit, see: http://www.truecrypt.org/docs/?s=modes-of-operation > The second issue I've come across is, when supplying binary (rather than > hex) key material, using "--key-file=-" to read the data from stdin, it > doesn't error out if not enough data can be read, unlike when supplying an > actual file to --key-file. > For example, if you have a file (say "/tmp/foo") with 128 bits of random > data, and run `cryptsetup -c aes-xts-benbi -s 256 --key-file=/tmp/foo > create loop /dev/loop0`, it errors out with "Command failed: Key > processing error: Could not read 32 bytes from key file", however if you > run `cat /tmp/foo | cryptsetup -c aes-xts-benbi -s 256 --key-file=- create > loop /dev/loop0`, it works when it shouldn't. > > Also, even when you do supply a key file of the required size, you get > different results with `cat /tmp/foo | cryptsetup --key-file=-` than you > do with `cryptsetup --key-file=/tmp/foo`... I'm not familar with keyfiles, but I'd be looking at the source code to see how they are treated differently. (perhaps at http://www.google.com/codesearch/p?hl=en&sa=N&cd=1&ct=rc#XUHSqiyZS4s/trunk/lib/utils.c&q=key-file%20package:http://cryptsetup\.googlecode\.com&l=344) -- Roscoe --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
