On Tue, Jul 27, 2010 at 10:46:44AM +0200, Milan Broz wrote: > This thread is going crazy... :) Slow day here ;-) > 1) Facts about using plin IV generator: > > - "plain" IV is 32bit only, supported by all kernels > - you should avoid using it for >2TB devices > - it will remain this way because of backward compatibility (howgh:-) > > - "plain64" is fully 64bit, available since kernel 2.6.33 > - for device < 2TB it produces the same output as "plain" > > => use plain64 for new devices if you want to use tweakable encryption > mode like XTS (or LRW), e.g. cryptsetup -c aes-xts-plain64 Added to the FAQ yesterday. Updated just now that plain64 is backwards compatible below 2TB. > p.s. > Never use plain* IV for CBC mode, use ESSIV there. > <joke>If you are using ECB mode, you are lost anyway.</joke> > > 2) crypsetup should have always safe defaults. > It is aes-cbc-essiv:sha256 with 256bit key currently. > > > 3) For the resize - we cannot catch all situations, someone can > dd LUKS disk to another bigger volume without "resize" command. Yes. My FAQ recomendation is to make a backup, create a new container in the target size and then restore the data. I think resizing the filesystem is just too risky otherwise. > Tools will suggest using plain64 but it cannot force it. > > > > So you guess the the 1TB limit could be actually ... > > Forgot about 1TB limit, it is different XTS only problem. > We mixed up two unrelated problems here. Indeed. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
