Enhancing Storage Encryption with Wide-Block Ciphers & HCTR2 🔐

For storage encryption, narrow-block ciphers such as AES-XTS are not ideal. They are used anyway because more theoretically sound constructions traditionally had problems that prevented their widespread use. However, if designed and implemented well, wide-block ciphers are better suited for the use case; not only are they more secure; they are also harder to accidentally misuse and are cryptographically cleaner. HCTR2 is a new wide-block encryption mode that is being added to the Linux Crypto API. It is the first such mode supported by Linux that takes advantage of existing cryptography instructions such as AES-NI, and it will allow for more secure storage encryption with minimal performance loss. This talk will cover background on wide-block cipher modes, limitations of narrow-block modes, wide-block cipher support in Linux, the design of HCTR2, and applying HCTR2 to filenames encryption in the ext4 and f2fs filesystems.