On 31/01/2026 at 15:16, Aleks wrote:
I selected the option aes+xts and the random key option and a key size
of 256. I know that doing so for my root partition worked fine, it used
luks and used a doubled key (in my case i selected 256 and it doubled it
to 512)
TIL: "XTS mode takes two keys, hence the key sizes are double that for
other modes and half of it is the cipher key, the other half is the XTS
key" (from cryptsetup FAQ). For a 256-bit cipher key, you must specify a
512-bit key size to cryptsetup.
But when i check in /etc/crypttab i see that even though i also used
256 for the swap partition, it didn't double it and it still says 256.
/etc/crypttab entry after finishing the debian installation is as follows:
sda4_crypt /dev/sda4 /dev/urandom
cipher=aes-xts-plain64,size=256,swap,discard,x-initrd.attach
Indeed, if XTS mode is selected then setup_luks() in lib/crypto_base.sh
doubles the key size when formatting an encrypted volume with
LUKS+passphrase and setup_dmcrypt() does the same when opening an
encrypted volume with plain dm-crypt+random key; however
crypttab_add_entry() in finish.d/crypto_config does not double the key
size when writing a crypttab entry for plain dm-crypt+random key. It
looks like commit 1cd80dd8 ("Also double key size for non-luks xts") was
incomplete.
I can add a trivial fix to my pending plain dm-crypt enhancements and
bugfixes (MR !4).
