geli - selecting cipher

Fabian Keil freebsd-listen at fabiankeil.de
Thu Jul 26 13:49:10 UTC 2012


RW <rwmaillists at googlemail.com> wrote:

> On Wed, 25 Jul 2012 19:52:39 -0500 (CDT)
> Robert Bonomi wrote:
> 
> > > From owner-freebsd-questions at freebsd.org  Wed Jul 25 14:00:27 2012
> > > Date: Wed, 25 Jul 2012 20:57:30 +0200 (CEST)
> > > From: Wojciech Puchar <wojtek at wojtek.tensor.gdynia.pl>
> > > To: freebsd-questions at freebsd.org
> > > Subject: geli - selecting cipher
> > >
> > > i need high speed disk encryption (many disks running in parallel,
> > > lots of data movement). i have processor with AES-NI.
> > >
> > > geli give 150MB/s performance (tested from/to md ramdisk) using
> > > default and recommended AES-XTS
> > >
> > > and ca 400MB/s read and 700MB/s write using AES-CBC.
> > >
> > > I'm not cryptography expert, is CBC somehow "less secure", and if
> > > so is it really a problem?
> > 
> > If you "don't know" what strength encryption you need, and/or the
> > difference between the methods, you need to hire a data-security
> > professional to examine your situation and make recommendations
> > appropriate for _your_ needs.
> > 
> > 'CBC' -- [C]ypher [B]lock [C]hainig -- is well-suited for strictly
> > -sequential- data access.   Try reading the blocks of a large (say
> > 10gB) file in *reverse* order and see what kind of performance you
> > get.  
> 
> Exactly the same, in geli the encryption is done per sector. 
> 
> 
> I asked a similar questions to the OPs in the geom list and didn't get
> an answer. Geli doesn't need or isn't using any advantages of XTS. And
> CBC in geli is actually equivalent to ESSIV (see the previously linked
> wikipedia page). 
> 
> In the end I went with 128 bit aes-cbc since it's the fastest setting
> and Bruce Schneier recommends 128 over 256 AES as being more secure.  

Can you provide the source for the "as being more secure" part?

I'm aware of the following recommendation:

| And for new applications I suggest that people don't use AES-256.
| AES-128 provides more than enough security margin for the forseeable
| future. But if you're already using AES-256, there's no reason to change.
http://www.schneier.com/blog/archives/2009/07/another_new_aes.html

But (the way I interpret it) there's no claim that AES-128 is more
secure either in general or in the context of disk encryption.

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20120726/1c9042d4/signature.pgp


More information about the freebsd-questions mailing list