Effect of ESSIV when used with XTS

Question

I looked everywhere on the web and I did find a lot of information about full disk encryption, but nothing really answered my question.

When formatting a partition to use LUKS, the two most common ciphers are

• aes-xts-plain64
• aes-cbc-essiv:sha256.

Now I know that ESSIV is simply a way to prevent the watermarking attacks possible against CBC. Still, a cipher like "aes-xts-essiv:sha256" is accepted by cryptsetup, and it is the setting I have been using on my laptop for quite a while.

My question is then, why are people not using ESSIV with XTS instead of plain IVs? Every bit of entropy in the encryption procedure should make the result more resistant, right? Is doing this actually harmful to the security of the data, or does it just use slightly more processing power?

Answer 1

Because XTS already solves the problem ESSIV is designed to solve.

Disk encryption modes are meant for retaining some security despite the lack of space for a unique IV. They do this by making use of the sector number so that at least multiple copies of the same data stored in different places end up looking different. That is not sufficient for good general purpose security, but the best that can be done transparently in full disk encryption.

With XTS the sector number is used as a tweak so that every sector is encrypted with an effectively independent FPE transformation. With ESSIV each sector is encrypted with an effectively independent key. Using both would have no additional advantage: different sectors are already encrypted differently with XTS alone and using both would not change the fact that on rewriting the single sector is encrypted deterministically.

Another, more heuristic way to look at it is that using the information (sector number) again does not "add entropy".