On 01/05/2013 06:20 PM, Arno Wagner wrote: > What does RHEL use and recommend? Do they always use > AES256-XTS or is AES128-XTS offered as an option (not when > douing this manually via commandline). I think there would > be some benefit to have the same defauls in distro-independent > cryptsetup. - Encrypted disk installation is using AES-XTS with 512bit key. (installer overwrites default. But I know there was no real discussion about AES18/256 before this was changed.) Installed (anaconda) doesn't allow default cipher/key size change but allows to "reuse" existing LUKS device. - compiled-in cryptsetup default is the same as upstream (CBC with ESSIV) (RHEL7 will use XTS as default, I would like to see the same default as upstream.) (This was mainly for compatibility reasons but now even RHEL5 can map XTS LUKS discs.) - RHEL in FIPS mode (dmcrypt/LUKS module is still not validated though) allows CBC (only with ESSIV) and XTS with AES128/192/256 Well, I can get more info from independent people here internally. My current opinion is to use aes-xts-plain64 with 256bit key (IOW use AES128) as independent default for LUKS. Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
