Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 27 Jul 2012 18:26:54 +0200
From:      Fabian Keil <>
Subject:   Re: geli - selecting cipher
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <> <juropu$hvb$> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

RW <> wrote:

> On Thu, 26 Jul 2012 17:47:10 +0200
> Ivan Voras wrote:
> > On 26/07/2012 04:14, RW wrote:
> >=20
> > > I asked a similar questions to the OPs in the geom list and didn't
> > > get an answer. Geli doesn't need or isn't using any advantages of
> > > XTS. And CBC in geli is actually equivalent to ESSIV (see the
> > > previously linked wikipedia page).=20

> > You didn't get an answer because in security, the answer depends on
> > exact circumstances of use. The short answer is that if you don't
> > have a specific adversary you need to protect your data from, I'd say
> > that GELI's CBC is good enough for you.

Most answers depend on the circumstances. At least to me this doesn't
seem like a good reason to completely ignore questions, even if they
are related to security.

Saying that geli's CBC implementation "is good enough" for someone
seems to imply that it's somehow worse than XTS in general. Could you
please clarify in which scenario you think XTS offers better protection?

> Actually the reason I asked is that I wanted to check whether I was
> ovelooking some key advantage of XTS that justified its being the
> default.

The rationale of the change isn't clear to me either.
Until recently I wasn't aware of the performance impact, though.

> AES-XTS was chosen to provide the best protection against modified
> ciphertext without using authentication which would expand the size
> of the data.
> It seem to me than anyone that worries about attackers tampering with
> a drive should use authentication in geli, and anyone that doesn't
> should leave it off and use CBC.

If ZFS is used and checksums aren't disabled, I don't see any
advantage of additionally enabling geli's authentication whose
protection seems a lot weaker. For tampering resistance I would
thus recommend ZFS on geli without authentication in geli.


Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

Version: GnuPG v2.0.19 (FreeBSD)



Want to link to this message? Use this URL: <>