What is the default encryption key-size for dm-crypt / cryptsetup in LUKS mode?

Question

I'm using cryptsetup 2.1.0, for which the default encryption options are (as reported by cryptsetup --help):

Default compiled-in device cipher parameters:
    LUKS: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
    LUKS: Default keysize with XTS mode (two internal keys) will be doubled.

I'm also reading the ArchLinux dm-crypt wiki which for LUKS states:

By default a 256 bit key-size is used. Note however that XTS splits the supplied key in half, so to use AES-256 instead of AES-128 you have to set the XTS key-size to 512.

I am confused by the key-size doubling/halving. I don't understand whether:

1. The default is equivalent to issuing --key-size 256 on command-line, AND the program doubles that to 512, to effectively obtain AES-256. This is what the manpage seems to say by "will be doubled"
2. The default is equivalent to issuing --key-size 512 on command-line, AND the program halves that, effectively performing AES-256. This is what the ArchLinux page seems to say.

Which one is it, (1) or (2)? In other words, I need to know which key-size, when explicitly given on the command-line, is equivalent to the default (256 or 512?), AND what effective AES strength does that yield (AES-128 or AES-512?).

Answer 1

Neither. The default is equivalent to issuing --key-size 256 as this refers to the key data handled by cryptsetup itself, but because XTS-AES requires two independent AES keys (one for the data and one for the "tweak" i.e. sector number), it splits the cryptsetup-supplied 256-bit key into two 128-bit AES keys.

This is still somewhat stronger than ordinary AES-128, however, because both keys are involved in encrypting each data block.

Likewise, if you specify --key-size 512, then a 512-bit key will be loaded via cryptsetup, but XTS-AES will split it into two 256-bit keys. (The "building block" AES cipher only comes in 128, 192, or 256-bit key variants, and the XTS cipher mode uses two of these "building blocks" at once. There is no AES-512.)

Details about how XTS-AES internally works can be found in:

• https://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/
• http://luca-giuzzi.unibs.it/corsi/Support/papers-cryptography/1619-2007-NIST-Submission.pdf