Add option to set a 512 bit key for AES (XTS-AES). Closes: #788227 (!6) · Merge requests · Debian Installer / partman-crypto

Carlos Alberto Lopez Perez requested to merge clopez/partman-crypto:add_512key_aes into master Mar 31, 2023

I was installing today a computer from scratch with Debian and I couldn't finish the install process because there was no option to select a 512 key for AES encryption with LUKS.

I ended creating manually the partition with sysrescuecd and command line tools and then using that precreated luks volume to finish the installation.

It seems there was an old report with a patch attached for enabling this at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788227 but got ignored.

Please merge this. There is no reason to not allow the users to select a 512 bit key if they wish.

Patch by Nathan Schulte <nmschulte@gmail.com>
Date: Tue, 9 Jun 2015 09:46:53 -0500

  Add 512 bit key-size for AES (XTS-AES)

    The aes-xts-plain64 cipher effectively halves the chosen keysize due to
    keysplitting used in the algorithm.  Thus, choosing a 256 bit key-size
    does not lead to AES 256 encryption but AES 128 instead.

    There's probably a better way to convey this to the user, as they'll need
    to be vigilant in order to make use of this.  As well, it may be wise to
    default to 256 bit key-size in the UI, and I believe this change will
    cause the default selection to be 512.

Add option to set a 512 bit key for AES (XTS-AES). Closes: #788227

Merge request reports