Hi all, After I sent the post below, I stumbled upon the cryptsetup FAQ page[1]. It answered a lot of my concerns, including the SHA1 and the cipher (plain, plain64, xts, essiv) issues. [1] https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions Thanks! On Thu, 16 Apr 2015 15:07:25 -0400 Stephen R Guglielmo <srguglielmo@gmail.com> wrote: > Thanks for all the replies in the previous thread! I've been doing > some reading and have another question. It seems the default for LUKS > (as displayed by `cryptsetup --help`) is: > > aes-xts-plain64, Key: 256 bits > LUKS header hashing: sha1 > RNG: /dev/urandom > > I would like to have a high level of security. Can I use /dev/random > instead of /dev/urandom to have a more cryptographically-secure RNG? > Or will I run out of entropy and start blocking? Is the RNG used for > everyday use of the encrypted volume, or just the initial format? If > the latter, I can deal with some blocking as I generate additional > entropy. > > I checked /proc/crypto, and I don't see anything "stronger" than sha1. > sha1 was beginning to be considered insecure in roughly 2005. Can I > somehow get support for sha512? > > As for the cipher, I'm not too familiar on such things. cryptsetup(8) > says I can "optionally set a key size of 512 bits with the -s option." > I do see options in /proc/crypto about "xts-aes-aesni". Would this be > faster/better since it's using the AESNI instruction set on my CPU? > > I have a (never-expiring) paste of my /proc/crypto at > https://paste.debian.net/167171/ > > Thank you all!
Attachment:
pgp9qWMR1lUF1.pgp
Description: OpenPGP digital signature