Support for HCTR2 mode?
Currently cryptsetup
is able to create volumes encrypted with wide-block cipher mode called 'Adiantum' (mode string is 'xchacha12,aes-adiantum-plain64' or 'xchacha20'). The main visible for simple people feature is that the block is really "wide", i.e. all 4k are encrypted at once, and changing single bit in decrypted block results in the whole encrypted 4k changing their contents. This is in contrast with 'traditional' XTS mode, where the encryption block size is just 16 bytes.
The wide-block feature gives less possibilities for the adversary to put eavesdropping onto the contents of underlying (encrypted) physical device, like tracking which specifically data has changed and guessing things like used FS, or just trying to insert old data or make corruption to it in small chunks.
However, adiantum mode was created primarily for the CPUs without AES support instructions and on those devices adiantum is really faster than AES-XTS (https://security.googleblog.com/2019/02/introducing-adiantum-encryption-for.html). This speeds relation is yet quite the opposite on the CPUs having AES-NI (or equivalent in ARM world). For example, for me cryptsetup benchmark -c xchacha12,aes-adiantum-plain64
is more that twice slower than cryptsetup benchmark -c aes-xts-plain64
.
The linux kernel seems to have HCTR2 mode support since ~2022 https://lore.kernel.org/all/Ynq3l+CRd86ZNDMK@sol.localdomain/
This is a request to add support for 'aes-hctr2-plain64' to the cryptsetup
. Having this mode will both be faster than adiantum for AES-enabled CPUs and us give wide-block encryption.