On Fri, Oct 22, 2021 at 10:14:11PM +0300, Vadim Akimov wrote: > Hi! > > On Thu, 21 Oct 2021 at 21:34, Omar Sandoval <osandov@xxxxxxxxxxx> wrote: > > > Here is the Google Doc: > > > > https://docs.google.com/document/d/1iNnrqyZqJ2I5nfWKt7cd1T9xwU0iHhjhk9ALQW3XuII/edit?usp=sharing > > > > As I've understood, you are inclined to have single key and only change IV > for each extent. This might be dangerous as per this answer (and comments > below): https://crypto.stackexchange.com/a/70630/71448 Correct me if I'm wrong, but I don't think this is a practical concern in the fscrypt threat model. The birthday bound for AES is 256 EiB (2^(128 / 2) blocks * 16 bytes per block). The theoretical maximum size of a Btrfs filesystem is 16 EiB (since we use 64-bit byte addresses). fscrypt protects against a "single point-in-time permanent offline compromise". This means that the attacker only has what was on disk at the time that they stole your disk. In this case, they won't have enough data for a birthday attack. I'm curious where that post got the "multiple petabytes" number.
|