Change block cipher mode from XTS -> HCTR2
We will be using aes-hctr2-plain64 cipher for encryptedstore.
Reason: With XTS, an attacker can tamper or replay at 16-byte
granularity. A bit flip in the encrypted text diffuses randomly in
plaintext, but only within an aligned 16-byte range. But with HCTR2 this
diffusion will be at crypto sector size.
For IV we use the 64 bytes' sector number referred to as "plain64".
Bug: 259253336
Test: Run a vm with --storage & --storage-size flag
Change-Id: I1ecd98072d6cb552d93fbc4053a3e6f004e0854e
diff --git a/encryptedstore/src/main.rs b/encryptedstore/src/main.rs
index d7d2382..5f27fd7 100644
--- a/encryptedstore/src/main.rs
+++ b/encryptedstore/src/main.rs
@@ -45,7 +45,7 @@
.args(&[
arg!(--blkdevice <FILE> "the block device backing the encrypted storage")
.required(true),
- arg!(--key <KEY> "key (in hex) equivalent to 64 bytes)").required(true),
+ arg!(--key <KEY> "key (in hex) equivalent to 32 bytes)").required(true),
arg!(--mountpoint <MOUNTPOINT> "mount point for the storage").required(true),
])
.get_matches();
@@ -87,12 +87,12 @@
fn enable_crypt(data_device: &Path, key: &str, name: &str) -> Result<PathBuf> {
let dev_size = util::blkgetsize64(data_device)?;
let key = hex::decode(key).context("Unable to decode hex key")?;
- ensure!(key.len() == 64, "We need 64 bytes' key for aes-xts cipher for block encryption");
+ ensure!(key.len() == 32, "We need 32 bytes' key for aes-hctr2 cipher for block encryption");
// Create the dm-crypt spec
let target = dm::crypt::DmCryptTargetBuilder::default()
.data_device(data_device, dev_size)
- .cipher(CipherType::AES256XTS) // TODO(b/259253336) Move to HCTR2 based encryption.
+ .cipher(CipherType::AES256HCTR2)
.key(&key)
.build()
.context("Couldn't build the DMCrypt target")?;