Thanks for all the replies in the previous thread! I've been doing some reading and have another question. It seems the default for LUKS (as displayed by `cryptsetup --help`) is:
aes-xts-plain64, Key: 256 bits LUKS header hashing: sha1 RNG: /dev/urandom I would like to have a high level of security. Can I use /dev/random instead of /dev/urandom to have a more cryptographically-secure RNG? Or will I run out of entropy and start blocking? Is the RNG used for everyday use of the encrypted volume, or just the initial format? If the latter, I can deal with some blocking as I generate additional entropy. I checked /proc/crypto, and I don't see anything "stronger" than sha1. sha1 was beginning to be considered insecure in roughly 2005. Can I somehow get support for sha512? As for the cipher, I'm not too familiar on such things. cryptsetup(8) says I can "optionally set a key size of 512 bits with the -s option." I do see options in /proc/crypto about "xts-aes-aesni". Would this be faster/better since it's using the AESNI instruction set on my CPU? I have a (never-expiring) paste of my /proc/crypto at https://paste.debian.net/167171/ Thank you all!
pgpVUpmq0lQCG.pgp
Description: OpenPGP digital signature
