Question

6

Can ecryptfs-setup-private be made to use a 256 bit AES key (instead of the default 128 bit key length)?

rated 0 times [ 6] [ 0] / answers: 1 / hits: 4551 / 1 Year ago, sun, march 12, 2023, 6:56:11

ecryptfs-setup-private will by default use an AES 128 bit key.

Can I make it use a 256 bit key (32 bytes key length)?

Of course, I could do the whole process manually as described here: https://wiki.archlinux.org/index.php/System_Encryption_with_eCryptfs#Setup_.28in_detail.29

But I want to have the convenience of using ecryptfs's easy to use tools but just with a stronger encryption key.

I tried modifying /usr/bin/ecryptfs-setup-private (changing KEYBYTES="16" to KEYBYTES="32" inside), but the process of creating the Private/.Private directories will fail.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

doredtness

Add To Favorites

Follow

Total Points: 153

Total Questions: 113

Total Answers: 106

Location: South Georgia

Member since Fri, Nov 13, 2020

4 Years ago

answered 1 Year ago irripri · Accepted Answer

The short answer is 'no'. When I wrote ecryptfs-setup-private, I chose a set of defaults for eCryptfs that I considered sensible, secure and supportable for millions of Ubuntu users who wouldn't care much about tunables over the long haul. This limited the number of configuration combinations we had to test and support.

As you've noted, eCryptfs is very configurable if you read the docs and mount manually, while the Ubuntu Encrypted Private/Home feature has a consistent set of options everywhere.

Moreover, Bruce Schneier has recommended against using AES256, in favor of AES128:

And for new applications I suggest that people don't use AES-256.
AES-128 provides more than enough security margin for the forseeable
future.