From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <wagner@tansi.org>
Received: from tansi.org (ns.km10532-04.keymachine.de [87.118.102.195])
	by mail.saout.de (Postfix) with ESMTP
	for <dm-crypt@saout.de>; Mon, 14 Sep 2009 05:44:03 +0200 (CEST)
Received: from gatewagner.dyndns.org (84-74-165-216.dclient.hispeed.ch
	[84.74.165.216]) by tansi.org (Postfix) with ESMTP id AA8AB4250006
	for <dm-crypt@saout.de>; Mon, 14 Sep 2009 05:44:06 +0200 (CEST)
Date: Mon, 14 Sep 2009 05:44:02 +0200
From: Arno Wagner <arno@wagner.name>
Message-ID: <20090914034401.GC22605@tansi.org>
References: <bb145bd20909131246m75329aa9h40863f3dac57e4@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <bb145bd20909131246m75329aa9h40863f3dac57e4@mail.gmail.com>
Subject: Re: [dm-crypt] aes-256-xts on a 2.5TB volume ... How much
	trouble	am I in?
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On Sun, Sep 13, 2009 at 09:46:23PM +0200, Christian Pernegger wrote:
> Hi all,
> 
> I've recently finished setting up our new file server, whose largest
> filesystem is 2.5TB in size; ext3 on dm-crypt (aes-256-xts) on lvm on
> md-raid5. The setup seems fine, but googling for an unrelated
> performance problem brought to light some disconcerting news:
> 
> 1) xts becomes more insecure the larger the encrypted volume is and is
> thus not recommended for volumes >1TB. Great. How bad is this in my
> case on a "makes cracking the encryption easier in theory" -- "any
> scriptkiddie can do it in 5 seconds" scale?

Likely in the "makes breaking it a few millions cheaper but 
leaves plenty" class. Also, you need to think about what your 
attacker model is. For example: If they cannot walk out with 
the disks, will transferring 2.5TB over the net be noticed?

> 2) Something about *-plain being 32 bit only and thus limited to 2TB.
> What happens to data over 2TB? Less secure, not encrypted at all, kiss
> it goodbye?

No idea. I would assume a sane implementation that reports
an error on access attempts past the limit, but worst case
is a wrap-around and overwrite of data at the beginning.
 
> I can't recreate the mapping with different settings easily, since
> I've already copied the data over and dismantled the old server but of
> course everything depends on how bad this is ...

Well, you can always use your backup procedure to move the data 
off and put it back on under new encryption. You do have backup, 
right?

Arno

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier