>> openssl enc command with -aes-xxx-xts doesnt work if an IV is specified > > When you say it "doesn't work", what do you mean? Do you get an error? If so > what is it?
If only it was the actual problem. The thing is that *if* one wants to make enc work with XTS, it has to be treated specially, i.e. not as any other cipher. See http://marc.info/?t=136844751600003&r=1&w=2 for additional info. Another alternative to custom header mentioned in referred thread can be to adhere to pre-defined fixed block size and read 16 bytes ahead, so that when one hits end of file, and finds that total_size%fixed_block_size<16, one can expand last block with total_size%fixed_block_size. I mean last block would be variable size from 16 up to fixed_block_size + 15 bytes, so that one doesn't have to make up padding scheme. >> as below: >> openssl enc -engine af_alg -aes-256-xts -in <plaintext_file> -out >> <output_encrypted_file> -K >> 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef -iv >> 00000000000000000000000000000000 > > I notice you have installed a custom engine. Does it advertise XTS support? > What happens if you do not use the engine? I'm not saying that it's the case here, but it should be noted that in this case engine can impose own behaviour on enc. Most notably it can trick enc to treating whole file as one single sector [which is not necessarily cryptographically sound]. Bottom line [still] is that enc is not the place to perform XTS, *unless* it's treated specially. In other words question should not be about setting IV, but about *if* XTS should be supported by enc, and if so, how exactly. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
