Hi, TL;DR Please *do* *not* use any MORUS cipher and stick with only AEGIS128 (aegis128-random in cryptsetup options; do not use aegis128l and aegis256). One of the reasons to have LUKS2 authenticated encryption marked as the experimental feature was lack of properly analyzed AEAD ciphers. As part of the research, we implemented some CAESAR [1] crypto competition candidates in kernel (before the final portfolio was announced). >From the implemented variants, only AEGIS128 was selected as a CAESAR winner. There are ongoing patches [2] that remove all ciphers that are not in the final portfolio from the kernel (and I fully support this decision [3]). - the MORUS cipher (all variants) have serious problems [4], it is de-facto no longer secure - other AEGIS variants (AEGIS256, AEGIS128L) are ok, but the consensus seems to be to support only one finalist variant (AEGIS128) - the only supported (and accelerated) variant is AEGIS128 It means that all LUKS2 devices using these ciphers will be no longer supported once these patches reach upstream kernel. Unfortunately, we cannot use the new reencryption feature to switch authenticated encryption ciphers yet (this will be partially possible in the future, though). Thanks, Milan [1] https://competitions.cr.yp.to/caesar.html [2] https://lore.kernel.org/linux-crypto/20190628170746.28768-1-ard.biesheuvel@xxxxxxxxxx/ [3] https://lore.kernel.org/linux-crypto/ca908099-3305-9764-dbf2-adc7a256ad59@xxxxxxxxx/ [4] https://eprint.iacr.org/2019/172.pdf _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
