Hi, On 2021-10-15 15:22:48 -0400, Stephen Frost wrote: > * Bruce Momjian (br...@momjian.us) wrote: > > Finally, there is an interesting web page about when not to use XTS: > > > > https://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/ > > This particular article always struck me as more of a reason for us, at > least, to use XTS than to not- in particular the very first comment it > makes, which seems to be pretty well supported, is: "XTS is the de-facto > standard disk encryption mode."
I don't find that line of argument *that* convincing. The reason XTS is the de-facto standard is that for generic block layer encryption is that you can't add additional data for each block without very significant overhead (basically needing journaling to ensure that the data doesn't get out of sync). But we don't really face the same situation - we *can* add additional data. With something like AES-GCM-SIV we can use the additional data to get IV reuse resistance *and* authentication. And while perhaps we are ok with the IV reuse guarantees XTS has, it seems pretty clear that we'll want want guaranteed authenticity at some point. And then we'll need extra data anyway. Thus, to me, it doesn't seem worth going down the XTS route, just to temporarily save a bit of implementation effort. We'll have to endure that pain anyway. Greetings, Andres Freund
