Linux crypto options in the 2.6.24 and later kernels

The available ciphers and cipher modes in the Linux kernel have evolved fairly rapidly over the past couple of years. Of course it is important to track the version of the kernel that particular crypto code gets merged so that backward compatibility concerns can be addressed. I decided to put together some information from 2.6.24 to try and decide what crypto options made sense for encrypted swap files and backup disks.

Ciphers

With so many cipher options available I have generally limited myself to the top 3 in the AES selection process, all of which received more positive votes than negative votes. Serpent is generally slower than the other 2, presumably because of its more conservative design.

• AES (Rijndael)
• Twofish
• Serpent

Cipher Modes

• CBC - valid key sizes: 128, 256
  • cbc-plain - default for cryptsetup
  • cbc-essiv:sha256 - more secure
• LRW - valid key sizes: 128 (Serpent only), 256, 384
  • lrw-plain
  • lrw-benbi - more secure
• XTS - valid key sizes: 128 (Serpent only), 256, 384, 512
  • xts-plain - default xts
  • xts-benbi - very few details
  • xts-essiv:sha256 - even less details

Linux Timeline

• 2.6.10 - introduction of essiv
• 2.6.20 - introduction of lrw
• 2.6.24 - introduction of xts

I did some light informal testing and found that aes-xts-essiv:sha256 with a key size of 256 seemed to perform quite well (over 40MB per second writing to a loop device on an AMD Athlon64 3500+). This seems like a good choice for encrypting swap on 2.6.24 systems like Ubuntu 8.04. However if one needed disk encryption that would be compatible with Debian 4.0 or CentOS 5.2 then the cbc-essiv:sha256 would be the mode to use for compatibility. I also generally found that AES was faster than Twofish which was faster than Serpent. With key sizes of 512 the performance difference between AES and Twofish is pretty small.