I want to start encrypting all of my hard drives, but I don't know whether to choose XTS or GCM mode. Why is it that XTS is recommended (since the most websites I visit use GCM in their HTTPS connection)? So my question is: should I use XTS or GCM, and why is one better than the other?
Asked
Active
Viewed 5,078 times
2 Answers
8
XTS is designed so that the plaintext and ciphertext sizes are the same. This is "needed" for disk encryption in order to preserve the sector size. However, when you are encrypting your disk at the file level, this is a completely irrelevant issue. Also, XTS is not "ideal" in the sense that it's not truly a wide block cipher (defined as a pseudorandom permutation over the block size). It's a standard which is actually somewhat a compromise.
If you are encrypting at file level, then I would recommend an authenticated encryption scheme. GCM is of course possible, but you need to make sure that you have a unique IV and you need to make sure you keep within the bounds. It is possible to use a nonce-misuse resistant version as well; this is highly recommended since nonce reuse is not disastrous (at the very worst will reveal that two files are identical, but if the file includes the path name then this can't happen). You will probably be concerned about speed, but good implementations are well under a cycle a byte and so cost nothing compared to the cost of reading/writing to disk.
Yehuda Lindell
- 28,270
- 1
- 69
- 86
6
Use XTS for whole-disk encryption. It is designed for that purpose. Definition of XTS mode in wiki is under the Disk Encryption Theory which says enough i think :)
In GCM, for a fixed key each, IV value must be distinct. This makes it disadvantageous for encryption of large files.
From an early GCM question:
GCM is bounded to encrypting about 68 GB
However, if you still want to use GCM in disk encryption, you can check this question.
