Skip to content

--fde appears to use CBC, not XTS. Is that a problem?

Right now, the --fde switch appears to default to AES CBC encryption. It's not entirely clear to me whether it uses a diffuser, if not this would make it way more prone to tampering than XTS. Is there a specific reason why --fde doesn't just use XTS? And does it actually use CBC diffused or undiffused? I think the easiest way to ensure to get something reasonably tamper-proof would be to switch it to an XTS default, but I could be wrong.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information