AES-CBC + Elephant diffuser

Darren J Moffat Darren.Moffat at Sun.COM
Thu Oct 29 09:59:35 EDT 2009

Eugen Leitl wrote:
> "We discuss why no existing cipher satisfies the requirements of this
> application". Uh-oh.
> AES-CBC + Elephant diffuser
> Brief Description
> A Disk Encryption Algorithm for Windows Vista

That is the key issue here, it is a disk encryption algorithm 
independent of the filesystem that sits above it.

If instead you put the encryption directly into the filesystem, rather 
than below it, then the restrictions of sector size that mean you can't 
easily use a MAC go away.

This is exactly what we have done for ZFS, we do use a MAC (the one from 
CCM or GCM modes) as well as a SHA256 hash of the ciphertext (used for 
resilvering operations in RAID) and they are stored in the block 
pointers (not the data blocks) forming a Merkle tree.  We also have a 
place to store an IV.  So every encrypted ZFS block is self contained, 
has an IV and a 16 byte MAC.   This means that the crypto is all 
standards based algorithms and modes for ZFS.

Darren J Moffat

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list