Hi, AFAICS, IEEE 1619-2007 standard mentions only XTS-AES-128 and XTS-AES-256, meaning that the keys should be either 256 or 512 bits. Further, NIST SP800-38E mentions that an implementation may restrict support to only one of XTS-AES-{128,256}, but does not explicitly allow other cipher suites. I don't see this enforcement in crypto/xts.c (XTS SW implementation), though I noticed that XTS mode is used for other ciphers besides AES. More, tcrypt has xts(aes) speed tests checking also for XTS-AES-192. For HW crypto engines adhering strictly to IEEE P1619-2007 this is a problem: [...] tcrypt: test 5 (384 bit key, 16 byte blocks): caam_jr 8020000.jr: key size mismatch tcrypt: setkey() failed flags=200000 [...] Is the kernel more permissive than the standard? Thanks, Horia